Sidebar to: losing connections to password server
David Collier-Brown -- Customer Engineering
David.Collier-Brown at sun.com
Mon Jun 23 15:04:54 GMT 2003
Predominantly they are running security = user, and
authenticating against the Unix passwords. The passwords
are actually in nis, yp and/or ldap, but Samba can't
tell and doesn't care (it's set in /etc/nsswitch.conf).
Secondarily several machines, (including mine at
various times (:-)) use security = server and name
the master server in the geographical area. They
**really** don't care what is used: they just ask
the local master.
[ Thus is classic Unix/Multics behavior, as opposed
to Windows/OS360 behavior: even servers don't care
how and where authentication is done, they only care
that it **is** done. Consider it a quality-of-implementation
advantage for Unix, Linux and Samba.]
None of the servers have failed except during general
power outages, which took down the client machines anyway,
so no-one noticed (;-))
Typical uptimes for these machines are huge.
Steve Langasek wrote:
> On Thu, Jun 19, 2003 at 02:46:08PM -0400, David Collier-Brown -- Customer Engineering wrote:
>>On Thu, Jun 19, 2003 at 08:53:17AM -0700, David Bear wrote:
>>>>"security = server" may be a nasty hack, but it is an important
>>>>'feature' in an organization like my university. We have centrally
>>>>managed services which include user accounts. This hack lets me add
>>>>users to samba services without having to manage accounts.
>>Steve Langasek wrote:
>>>So does "security = domain"; except that "security = domain" works,
>>>using the same protocols that Microsoft supports for their own
>>>The "security = server" hack is /inherently/ flaky, and has /inherently/
>>>limited security. Fixing these inherent flaws has been done: that's
>>>what domain security is.
>> Alas, security = domain only works if I'm running an
>> NT domain, while security = server works with an
>> authentication server which is using the underlying
>> Unix authentication system.
>> Do the limitations and errors of security = server
>> generally affect or not affect servers using Unix
>> authentication? We've not encountered (or perhaps
>> not noticed (;-)) them in Sun, and we run a worldwide
>> SMB service, managed out of Australia.
> So you're using 'security = server' with 'encrypted passwords = no'?
> Hmm, I've never seen a configuration like that before... Maybe it's
> more resilient because your network and/or SMB servers are more
> reliable? :)
David Collier-Brown, | Always do right. This will gratify
Sun Microsystems DCMO | some people and astonish the rest.
Toronto, Ontario |
(905) 415-2849 or x52849 | davecb at canada.sun.com
More information about the samba-technical