Samba, Clearcase, and multiple credentials
Frank R. Brown
list.Frank at MailAndNews.com
Thu Nov 18 12:05:42 GMT 1999
Thanks for everyone's help. I'm still struggling here
(both with getting things to work, and with understanding
what's actually going on).
I'd like help with two issues:
1) Does the nt-side albd actually access unix-side files?
Is there any evidence of this?
2) The assertion that nt (a specific smb client) can only
make a single connection (a single set of credentials) to
a specific smb server at a given time seems to be holding
up. If this is the case, how can can a clearcase user and
an albd service co-exist on a single nt box, if the two require
access to unix-side files with different permissions?
Let me piece together info from some of the responses:
>From the reposting of David Boyce's clearcase users'
> The last line is there to give the clearcase_albd pseudo-user a
> group of "clearcase" on NT. This user is also entered in the
> database with /bin/false as its shell. The point is that
> clearcase_albd is
> entirely unused on the Unix side - it's just there so NT can see it.
Hmm... What does this mean? I will say that *my* reading of
the clearcase doc leads me to believe that the nt-side albd
actually spawns off *unix-side* instances of vob-server and
other processes to do its dirty work for it. Is this true? If
it is, then the whole issue of nt-side albd samba access to
unix-side files would be a red herring. Note: when I've asked
rational tech support for a specific unix-side file that albd
actually reads, they haven't given me a concrete answer.
>From David Boyce's posting of some info samba info he got
> >|Being a prisoner of the SMB protocol and thus Microsoft's short-sighted
> >|PC-think, Samba defines "client" not as a user or a user/system pair but
> >|as a PC. I.e. it forks just one child process to handle all communications
> >|with each NT _machine_.
> This is the implementation issue. (It is not forced by SMB protocol which
> distinguishes the session by the user's ID.) TAS forks a process for each
> user/system pair. Although one TCP connection (with NetBT) is used between
> the client PC and TAS server (thus multiple users are sharing the same
> transport), TAS has the de/multiplexor for the TCP connection. (TAS does
> the same for NetBEUI.)
> It's up to Samba to implement such mechanism, which will be needed for NT
> Terminal Server and Win2K's Terminal Service.
> --- Seiichi
> + Seiichi Tatsukawa +
> + Rational Software, Lexington, MA +
Okay... I take this to mean (in the 'credentials' language I've been
using) that 1) *SMB* permits multiple connections with different
credentials between the same two machines; 2) some SMB
servers, in particular TAS, support this; and 3) samba doesn't.
Any experience / opinions out there, pro or con?
Now quoting from Johan Meiring post:
> The restriction to only connect as one user to a specific machine
> (SMB server) is a _CLIENT_ restriction.
> This can be proven in an NT only (and I assume with SAMBA
> as well, sorry I don't have a samba server to test against :-( )
So Johan indicates that 1) SMB *does* support multiple
connections; 2) gives another example of an SMB server
that supports multiple connections, i.e., nt; 3) suspects,
but hasn't verified that samba might as well;
and 4) demonstrates that the restriction of single connection
(set of credentials) between two machines is a *client*
restriction, where in this case the client is nt.
My point here is that if nt as a client only supports a single
connection / set of credentials, then it's moot whether the
smb server supports multiple connections or not. Rational
software keeps saying that the albd service needs 'permissions'.
But everything I know about nt says that even if the
clearcase_albd account (under which albd runs) has
these 'permissions', once the clearcase user uses his
credentials to connect to a share on the unix-side (samba)
server, that single connection is 'used up', and any unix-side
albd file-access will occur under the users credentials.
Is this true? If not, can anyone provide *any* evidence that
Thanks again for everyone's help with this.
(I apologize to those who don't have interest in this level
of detail. I persist because I've been learning a lot of
useful stuff about nt and samba, and because as long
as the best I can get out of rational is that I have a
'permissions' problem, I'm going to need to understand
this stuff to get configuration issues resolved.)
Frank.R.Brown at MailAndNews
More information about the samba