SAMBA and network security (Try 2 without HTML)

[Robert Styma]

I did not mean to send the previous question in HTML.  


I wish to solicit information and comments.

I am attempting to convince our ITS department to
create trust accounts for the Samba server nodes on
some of our lab machines which sit across an internal firewall
from the corporate network.  My purpose is to access
UNIX files on the samba servers from PC's connected
to the corporate lan.  Our PC's are authenticated from
an NT PDC.

My understanding is that when the PC attempts to access
shares on another server (samba or otherwise), a security
ticket is sent with the request.  The server takes that
ticket and authenticates it against the primary domain
controller it is connected to.  Hopefully this is the same
one used to generate the ticket.  This is used to verify that
the requester is who he says he is.  Samba then uses this
information to decide what UNIX account to use for this
request.  In the simple case, this is the same name as
the NT account.

A machine trust account has to be set up on the NT PDC
to allow the Samba server to authenticate the ticket.
It also means I can use smbclient on this machine to
authenticate to the PDC and access other SMB shares
and printers.

Are there any other security issues I need to be aware
of pertaining to creating a machine trust account on
an NT PDC for a samba server machine?

Thank you in advance for any comments.



-- 
Robert E. Styma 
Principal Engineer
AG Communication Systems, Phoenix - A subsidiary of Lucent
Email: stymar at agcs.com
Phone: 623-582-7323
FAX:   623-581-4884
Company:  http://www.agcs.com
Personal: http://www.swlink.net/~styma