smbwall

Andrew Bartlett abartlet at pcug.org.au
Fri Feb 1 13:46:13 GMT 2002 

David Lee wrote:
> 
> On Thu, 31 Jan 2002, Andrew Morgan wrote:
> 
> > On 31 Jan 2002, Scott Gifford wrote:
> >
> > > "Garry J. Garrett" <garry_garrett at csgsystems.com> writes:
> > >
> > > [...]
> > >
> > > > My point is, I'm sure that there is a limitation somewhere; we just
> > > > don't know what that limit is.  It may be smaller than you are inclined
> > > > to think at first glance.  That's all I'm trying to say.
> > >
> > > I'm sure this is true, but as long as it can easily be turned off with
> > > an smb.conf option, it should be OK.  If you have more smbds than
> > > ptys, you just don't configure Samba to allocate ptys.
> > >
> > > Do you see any problems with this approach?
> >
> > It seems like this could really bite someone though.  What if over time
> > you start getting more samba connections?  Sometimes it is not possible to
> > plan ahead for this situation either.  I don't really know, but it seems
> > like running out of ptys would be a very bad thing.
> 
> That used to be the case for telnet/rlogin under early Solaris some years
> ago (default of 48; caller 49+ would get obscure failure message).  But
> that limit was always configurable, and since those days they seem to be
> much more "dynamic" anyway.  (Yes, it used to cause an irritating
> "Grrrrr..." moment to me, as sys.admin., but I've seen worse problems in
> running a UNIX service!)
> 
> I suspect that on most modern-day UNIX systems, a permanent, unchangeable,
> never-any-higher limit on ptys is almost a non-issue.  And for the
> occasional system where it may be, then ...

As was mentioned before - Linux comes with a default of 256.  As such, I
don't believe that it is a good idea to allocate pty's for this
purpose.  

Even if ptys are allocated, I am very much of the view that this is best
done outside samba, because it is something that *will* need
customization for every site - unlike utmp, where the OS dictates the
'norms' this is much more a 'how do I want to set up my system' thing.

I think that adding a 'session exec' and 'session exec close' hook to
samba would be something that many of our users/administrators would
find useful.  

Also, I feel that the /dev/smb/? namespace is a good one - it mirrors
FTPs utmp semantics and allows the admin to quickly distinguish between
SSH/telnet logins and Samba connections.  If 'write' and 'wall'
functionality is desired, I think that some kind of daemon listening on
these 'terminals' (actually pipes in a dir) is the desirable solution.  

It should be noted that none of this actually requires modification to
Samba - even now!.  If you want to make this happen - simply write a
daemon that listens on /dev/smb/0 - /dev/smb/x (where x is the maximum
number of connections you expect to receive).  It can include its own
code to read sessionid.tdb and the message sending code to bug the
client with it.

This would be assisted by better hooks in samba for registering the
logon/logoff - but doesn't actually require it.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list