Samba, Clearcase, and multiple credentials

Frank R. Brown list.Frank at
Thu Nov 18 12:05:42 GMT 1999

Thanks for everyone's help.  I'm still struggling here
(both with getting things to work, and with understanding
what's actually going on).

I'd like help with two issues:

1)  Does the nt-side albd actually access unix-side files?
Is there any evidence of this?

2)  The assertion that nt (a specific smb client) can only
make a single connection (a single set of credentials) to
a specific smb server at a given time seems to be holding
up.  If this is the case, how can can a clearcase user and
an albd service co-exist on a single nt box, if the two require
access to unix-side files with different permissions?

Let me piece together info from some of the responses:

>From the reposting of David Boyce's clearcase users'
group  message:

> The last line is there to give the clearcase_albd pseudo-user a
> primary 
> group of "clearcase" on NT. This user is also entered in the
> passwd 
> database with /bin/false as its shell. The point is that
> clearcase_albd is 
> entirely unused on the Unix side - it's just there so NT can see it.

Hmm...  What does this mean?  I will say that *my* reading of
the clearcase doc leads me to believe that the nt-side albd
actually spawns off *unix-side* instances of vob-server and
other processes to do its dirty work for it.  Is this true?  If
it is, then the whole issue of nt-side albd samba access to
unix-side files would be a red herring.  Note:  when I've asked
rational tech support for a specific unix-side file that albd
actually reads, they haven't given me a concrete answer.

>From David Boyce's posting of some info samba info he got
from rational:

> >|Being a prisoner of the SMB protocol and thus Microsoft's short-sighted
> >|PC-think, Samba defines "client" not as a user or a user/system pair but
> >|as a PC. I.e. it forks just one child process to handle all communications
> >|with each NT _machine_.
> This is the implementation issue. (It is not forced by SMB protocol which
> distinguishes the session by the user's ID.) TAS forks a process for each
> user/system pair. Although one TCP connection (with NetBT) is used between
> the client PC and TAS server (thus multiple users are sharing the same
> transport), TAS has the de/multiplexor for the TCP connection. (TAS does
> the same for NetBEUI.)
> It's up to Samba to implement such mechanism, which will be needed for NT
> Terminal Server and Win2K's Terminal Service.
> --- Seiichi
> + Seiichi Tatsukawa +
> + Rational Software, Lexington, MA +

Okay...  I take this to mean (in the 'credentials' language I've been
using) that  1) *SMB* permits multiple connections with different
credentials between the same two machines;  2) some SMB
servers, in particular TAS, support this;  and 3) samba doesn't.
Any experience / opinions out there, pro or con?

Now quoting from Johan Meiring post:

> The restriction to only connect as one user to a specific machine
> (SMB server) is a _CLIENT_ restriction.
> This can be proven in an NT only (and I assume with SAMBA
> as well, sorry I don't have a samba server to test against :-( )
> scenario.

So Johan indicates that 1) SMB *does* support multiple
connections;  2) gives another example of an SMB server
that supports multiple connections, i.e., nt;  3)  suspects,
but hasn't verified that samba might as well;
and 4) demonstrates that the restriction of single connection
(set of credentials) between two machines is a *client*
restriction, where in this case the client is nt.

My point here is that if nt as a client only supports a single
connection / set of credentials, then it's moot whether the
smb server supports multiple connections or not.  Rational
software keeps saying that the albd service needs 'permissions'.
But everything I know about nt says that even if the
clearcase_albd account (under which albd runs) has
these 'permissions', once the clearcase user uses his
credentials to connect to a share on the unix-side (samba)
server, that single connection is 'used up', and any unix-side
albd file-access will occur under the users credentials.

Is this true?  If not, can anyone provide *any* evidence that
it isn't?

Thanks again for everyone's help with this.

(I apologize to those who don't have interest in this level
of detail.  I persist because I've been learning a lot of
useful stuff about nt and samba, and because as long
as the best I can get out of rational is that I have a
'permissions' problem, I'm going to need to understand
this stuff to get configuration issues resolved.)

     Frank R.Brown
     Frank.R.Brown at MailAndNews

More information about the samba mailing list