[Samba] Samba 4 DC and member server, rfc3207, winbind, printing, asynchronous I/O - Problems and Fixes

Stéphane PURNELLE stephane.purnelle at corman.be
Tue Nov 19 01:38:14 MST 2013 

Hi Andrew,

Could you explain why the Samba Team's recommend to use a member server 
for file and print server tasks ?

Because I want to put in production one server as a DC with file and print 
server task.

Stéphane Purnelle

-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 19/11/2013 08:01:17:

> De : Andrew Bartlett <abartlet at samba.org>
> A : "Kinglok, Fong" <busywater at gmail.com>, 
> Cc : samba at lists.samba.org
> Date : 19/11/2013 08:02
> Objet : Re: [Samba] Samba 4 DC and member server, rfc3207, winbind, 
> printing, asynchronous I/O - Problems and Fixes
> Envoyé par : samba-bounces at lists.samba.org
> 
> On Tue, 2013-11-19 at 14:53 +0800, Kinglok, Fong wrote:
> > Dear all,
> > 
> > After 4 days of sleepless nights, I have manged to rebuild the 
> samba farm.  I believe the following discovery might interest our 
> samba community.
> 
> > Now, there is no other bug but do a dirty fix:
> > chmod 755 /usr/local/samba/private/sam.ldb.d
> 
> NEVER. EVER do this.
> 
> Quick, dirty or otherwise, NEVER do this.  You have totally compromised
> the security of the whole domain, because all the private (secret) keys
> are not accessible to any user or process on that host. 
> 
> Indeed, as this has now been suggested publicly, I may have to add code
> to Samba to refuse to start up in this situation. 
> 
> I realise you are in a bind, but all I can suggest is that you follow
> the Samba Team's recommendation to use a member server for file and
> print server tasks, not to combine these with the DC, until we can get
> to the bottom of this particular issue. 
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                
http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list