diff options
author | John Terpstra <jht@samba.org> | 2005-04-13 02:26:17 +0000 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:46:25 -0500 |
commit | 6262d3083458e4fc1dfcff77e616063e4b71e477 (patch) | |
tree | ddfea67e7c0c679d69a0fea331795971cc42e58a /docs/Samba-Guide/SBE-KerberosFastStart.xml | |
parent | 2b7907805aeb32775f11795b88e01721b115eafe (diff) | |
download | samba-6262d3083458e4fc1dfcff77e616063e4b71e477.tar.gz samba-6262d3083458e4fc1dfcff77e616063e4b71e477.tar.bz2 samba-6262d3083458e4fc1dfcff77e616063e4b71e477.zip |
Begin of another reorg.
(This used to be commit 131d76df85ab12f5a171120113d4dfa7ad3f2220)
Diffstat (limited to 'docs/Samba-Guide/SBE-KerberosFastStart.xml')
-rw-r--r-- | docs/Samba-Guide/SBE-KerberosFastStart.xml | 2074 |
1 files changed, 2074 insertions, 0 deletions
diff --git a/docs/Samba-Guide/SBE-KerberosFastStart.xml b/docs/Samba-Guide/SBE-KerberosFastStart.xml new file mode 100644 index 0000000000..bcd00dbd86 --- /dev/null +++ b/docs/Samba-Guide/SBE-KerberosFastStart.xml @@ -0,0 +1,2074 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<chapter id="kerberos"> + <title>Active Directory, Kerberos, and Security</title> + + <para><indexterm> + <primary>experiment</primary> + </indexterm> + By this point in the book, you have been exposed to many Samba-3 features and capabilities. + More importantly, if you have implemented the examples given, you are well on your way to becoming + a Samba-3 networking guru who knows a lot about Microsoft Windows. If you have taken the time to + practice, you likely have thought of improvements and scenarios with which you can experiment. You + are rather well plugged in to the many flexible ways Samba can be used. + </para> + + <para><indexterm> + <primary>criticism</primary> + </indexterm> + This is a book about Samba-3. Understandably, its intent is to present it in a positive light. + The casual observer might conclude that this book is one-eyed about Samba. It is &smbmdash; what + would you expect? This chapter exposes some criticisms that have been raised concerning + the use of Samba. For each criticism, there are good answers and appropriate solutions. + </para> + + <para> + Some criticism always comes from deep inside ranks that one would expect to be supportive of a particular + decision. Criticism can be expected from the outside. Let's see how the interesting dynamic of + criticism develops with respect to Abmas. + </para> + + <para><indexterm> + <primary>straw-man</primary> + </indexterm> + This chapter provides a shameless self-promotion of Samba-3. The objections raised were not pulled + out of thin air. They were drawn from comments made by Samba users and from criticism during + discussions with Windows network administrators. The tone of the objections reflects as closely + as possible that of the original. The case presented is a straw-man example that is designed to + permit each objection to be answered as it might occur in real life. + </para> + +<sect1> + <title>Introduction</title> + + <para><indexterm> + <primary>acquisitions</primary> + </indexterm><indexterm> + <primary>risk</primary> + </indexterm><indexterm> + <primary>assessment</primary> + </indexterm><indexterm> + <primary>Active Directory</primary> + </indexterm><indexterm> + <primary>Windows 2003 Serve</primary> + </indexterm> + Abmas is continuing its meteoric growth with yet further acquisitions. The investment community took + note of the spectacular projection of Abmas onto the global business stage. Abmas is building an + interesting portfolio of companies that includes accounting services, financial advice, investment + portfolio management, property insurance, risk assessment, and the recent addition of a a video rental + business. The pieces do not always appear to fit together, but Mr. Meany is certainly executing an + interesting business growth and development plan. Abmas Video Rentals has been recently acquired. + During the time that the acquisition was closing, the Video Rentals business upgraded their Windows + NT4-based network to Windows 2003 Server and Active Directory. + </para> + + <para><indexterm> + <primary>Active Directory</primary> + </indexterm> + Bob Jordan has been accepting of the fact that Abmas Video Rentals will use Microsoft Active Directory. + The IT team led by Stan Soroka is committed to Samba-3 and to maintaining a uniform technology platform. + Stan Soroka's team voiced their disapproval over the decision to permit this business to continue to + operate with a solution that is viewed by Christine and her group as <quote>an island of broken + technologies.</quote> This comment was made by one of Christine's staff as they were installing a new + Samba-3 server at the new business. + </para> + + + <para><indexterm> + <primary>consultant</primary> + </indexterm><indexterm> + <primary>hypothetical</primary> + </indexterm> + Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer + should make such a comment. He felt that he had to prepare in case he might be criticized for his + decision to use Active Directory. He decided he would defend his decision by hiring the services + of an outside security systems consultant to report<footnote>This report is entirely fictitious. + Any resemblance to a factual report is purely coincidental.</footnote> on his unit's operations + and to investigate the role of Samba at his site. Here are key extracts from this hypothetical + report: + </para> + + <blockquote><para><indexterm> + <primary>vulnerabilities</primary> + </indexterm><indexterm> + <primary>integrity</primary> + </indexterm><indexterm> + <primary>practices</primary> + </indexterm><indexterm> + <primary>Active Directory</primary> + </indexterm> + ... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site, + has been examined. We find no evidence to support a notion that vulnerabilities exist at your site. + ... we took additional steps to validate the integrity of the installation and operation of Active + Directory and are pleased that your staff are following sound practices. + </para> + + <para> + ... + </para> + + <para><indexterm> + <primary>accounts</primary> + <secondary>user</secondary> + </indexterm><indexterm> + <primary>accounts</primary> + <secondary>group</secondary> + </indexterm><indexterm> + <primary>Backup</primary> + </indexterm><indexterm> + <primary>disaster recovery</primary> + </indexterm><indexterm> + <primary>validated</primary> + </indexterm><indexterm> + <primary>off-site storage</primary> + </indexterm> + User and Group accounts, and respective privileges, have been well thought out. File system shares are + appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and + effective off-site storage practices are considered to exceed industry norms. + </para> + + <para><indexterm> + <primary>compromise</primary> + </indexterm><indexterm> + <primary>secure</primary> + </indexterm><indexterm> + <primary>network</primary> + <secondary>secure</secondary> + </indexterm> + Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain + a secure network. + </para> + + <para><indexterm> + <primary>winbind</primary> + </indexterm><indexterm> + <primary>security</primary> + </indexterm><indexterm> + <primary>secure</primary> + </indexterm><indexterm> + <primary>network</primary> + <secondary>management</secondary> + </indexterm> + The recently installed Linux file and application server uses a tool called <command>winbind</command> + that is indiscriminate about security. All user accounts in Active Directory can be used to access data + stored on the Linux system. We are alarmed that secure information is accessible to staff who should + not even be aware that it exists. We share the concerns of your network management staff who have gone + to great lengths to set fine-grained controls that limit information access to those who need access. + It seems incongruous to us that Samba winbind should be permitted to be used as it voids this fine work. + </para> + + <para><indexterm> + <primary>isolated</primary> + </indexterm><indexterm> + <primary>firewall</primary> + </indexterm><indexterm> + <primary>best practices</primary> + </indexterm> + Graham Judd [head of network administration] has locked down the security of all systems and is following + the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network + is isolated from the outside world, the [product name removed] firewall is under current contract + maintenance support from [the manufacturer]. ... our attempts to penetrate security of your systems + failed to find problems common to Windows networking sites. We commend your staff on their attention to + detail and for following Microsoft recommended best practices. + </para> + + <para> + ... + </para> + + <para><indexterm> + <primary>security</primary> + </indexterm><indexterm> + <primary>disable</primary> + </indexterm><indexterm> + <primary>essential</primary> + </indexterm><indexterm> + <primary>trusted computing</primary> + </indexterm> + In respect of the use of Samba, we offer the following comments: Samba is in use in nearly half of + all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft + ... what worries us regarding Samba is the need to disable essential Windows security features such as + secure channel support, digital sign'n'seal on all communication traffic, running Active Directory in + mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that + Samba is not at the full capabilites of Microsoft Windows NT4 server. Microsoft has moved well beyond that + with trusted computing initiatives that the Samba developers do not participate in. + </para> + + <para><indexterm> + <primary>integrity</primary> + </indexterm><indexterm> + <primary>hackers</primary> + </indexterm><indexterm> + <primary>accountable</primary> + </indexterm><indexterm> + <primary>flaws</primary> + </indexterm><indexterm> + <primary>updates</primary> + </indexterm><indexterm> + <primary>bug fixes</primary> + </indexterm><indexterm> + <primary>alarm</primary> + </indexterm> + One wonders about the integrity of an open source program that is developed by a team of hackers + who cannot be held accountable for the flaws in their code. The sheer number of updates and bug + fixes they have released should ring alarm bells in any business. + </para> + + <para><indexterm> + <primary>employment</primary> + </indexterm><indexterm> + <primary>jobs</primary> + </indexterm><indexterm> + <primary>risk</primary> + </indexterm> + Another factor that should be considered is that buying Microsoft products and services helps to + provide employment in the IT industry. Samba and Open Source software place those jobs at risk. + </para></blockquote> + + <para><indexterm> + <primary>Active Directory</primary> + </indexterm><indexterm> + <primary>independent expert</primary> + </indexterm> + This is also a challenge to rise above the trouble spot. Bob calls Stan's team together for a simple + discussion, but it gets further out of hand. When he returns to his office, he finds the following + email in his in-box: + </para> + + <para> + Bob, + </para> + + <blockquote><attribution>Stan</attribution><para> + I apologize for the leak of internal discussions to the new business. It reflects poorly on our + professionalism and has put you in an unpleasant position. I regret the incident. + </para> + + <para> + I also wish to advise that two of the recent recruits want to implement Kerberos authentication + across all systems. I concur with the desire to improve security. One of the new guys who is championing + the move to Kerberos was responsible for the comment that caused the embarrassment. + </para> + + <para><indexterm> + <primary>Kerberos</primary> + </indexterm><indexterm> + <primary>OpenLDAP</primary> + </indexterm><indexterm> + <primary>Active Directory</primary> + </indexterm><indexterm> + <primary>consultant</primary> + </indexterm> + I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP, + plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect + to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent, + I would like to hire the services of a well-known Samba consultant to set the record straight. + </para> + + <para><indexterm> + <primary>criticism</primary> + </indexterm><indexterm> + <primary>policy</primary> + </indexterm><indexterm> + <primary>Windows Servers</primary> + </indexterm><indexterm> + <primary>Active Directory</primary> + </indexterm><indexterm> + <primary>budgetted</primary> + </indexterm><indexterm> + <primary>financial responsibility</primary> + </indexterm> + I intend to use this report to answer the criticism raised and would like to establish a policy that we + will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered + out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain + responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce + use of any centrally proposed standards, but make all non-compliance the financial responsibility of the + out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone. + </para></blockquote> + + <sect2> + <title>Assignment Tasks</title> + + <para> + Bob agreed with Stan's recommendations and has hired your services to help defuse the powder + keg. Your task is to answer each of the issues raised with a tractable answer. You must be able + to support your claims, keep emotions to a side, and answer technically. + </para> + + </sect2> +</sect1> + +<sect1> + <title>Dissection and Discussion</title> + + <para><indexterm> + <primary>tool</primary> + </indexterm><indexterm> + <primary>benefit</primary> + </indexterm><indexterm> + <primary>choice</primary> + </indexterm><indexterm> + <primary>consultant</primary> + </indexterm><indexterm> + <primary>installation</primary> + </indexterm><indexterm> + <primary>income</primary> + </indexterm><indexterm> + <primary>employment</primary> + </indexterm> + Samba-3 is a tool. No one pounding your door to use Samba. That is a choice that you are free to + make or reject. It is likely that your decision to use Samba can benefit your company more than + anyone else. The Samba Team obviously believes that the Samba software is a worthy choice. + If you hire a consultant to assist with the installation and/or deployment of Samba, or if you hire + someone to help manage your Samba installation, you can create income and employment. Alternately, + money saved by not spending in the IT area can be spent elsewhere in the business. All money saved + or spent creates employment. + </para> + + <para><indexterm> + <primary>economically sustainable</primary> + </indexterm><indexterm> + <primary>inter-operability</primary> + </indexterm><indexterm> + <primary>file and print service</primary> + </indexterm><indexterm> + <primary>cost</primary> + </indexterm><indexterm> + <primary>alternative</primary> + </indexterm> + In the long term, the use of Samba must be economically sustainable. In some situations, Samba is adopted + purely to provide file and print service interoperability on platforms that otherwise cannot provide + access to data and to printers for Microsoft Windows clients. Samba is used by some businesses to + effect a reduction in the cost of providing IT services. Obviously, it is also used by some as an + alternative to the use of a Microsoft file and print serving platforms with no consideration of costs. + </para> + + <para><indexterm> + <primary>documentation</primary> + </indexterm><indexterm> + <primary>responsibility</primary> + </indexterm><indexterm> + <primary>fix</primary> + </indexterm><indexterm> + <primary>broken</primary> + </indexterm> + It would be foolish to adopt a technology that might put any data or users at risk. Security affects + everyone. The Samba Team are fully cognizant of the responsibility they have to their users. + The Samba documentation clearly reveals the fact that full responsibility is accepted to fix anything + that is broken. + </para> + + <para><indexterm> + <primary>commercial</primary> + </indexterm><indexterm> + <primary>software</primary> + </indexterm><indexterm> + <primary>commercial software</primary> + </indexterm><indexterm> + <primary>End User License Agreement</primary> + <see>EULA</see> + </indexterm><indexterm> + <primary>accountable</primary> + </indexterm><indexterm> + <secondary>liability</secondary> + </indexterm><indexterm> + <primary>accepts liability</primary> + </indexterm><indexterm> + <primary>price paid</primary> + </indexterm><indexterm> + <primary>product defects</primary> + </indexterm><indexterm> + <primary>reimburse</primary> + </indexterm><indexterm> + <primary>extent</primary> + </indexterm> + There is a mistaken perception in the IT industry that commercial software providers are fully + accountable for the defects in products. Open Source software comes with no warranty, so it is + often assumed that its use confers a higher degree of risk. Everyone should read commercial software + End User License Agreements (EULAs). You should determine what real warranty is offered and the + extent of liability that is accepted. Doing so soon dispels the popular notion that + commercial software vendors are willingly accountable for product defects. In many cases, the + commercial vendor accepts liability only to reimburse the price paid for the software. + </para> + + <para><indexterm> + <primary>consumer</primary> + </indexterm><indexterm> + <primary>EULA</primary> + </indexterm><indexterm> + <primary>track record</primary> + </indexterm><indexterm> + <primary>commercial software</primary> + </indexterm><indexterm> + <primary>support</primary> + </indexterm><indexterm> + <primary>vendor</primary> + </indexterm> + The real issues that a consumer (like you) needs answered is what is the way of escape from technical + problems and how long will it take? The average problem turnaround time in the Open Source community is + approximately 48 hours. What does the EULA offer? What is the track record in the commercial software + industry? What happens when your commercial vendor decides to cease providing support? + </para> + + <para><indexterm> + <primary>source code</primary> + </indexterm><indexterm> + <primary>Open Source</primary> + </indexterm><indexterm> + <primary>hire</primary> + </indexterm><indexterm> + <primary>programmer</primary> + </indexterm><indexterm> + <primary>solve</primary> + </indexterm><indexterm> + <primary>fix</primary> + </indexterm><indexterm> + <secondary>problem</secondary> + </indexterm> + Open Source software at least puts you in possession of the source code. This means that when + all else fails, you can hire a programmer to solve/fix the problem. + </para> + + <sect2> + <title>Technical Issues</title> + + <para> + Each issue is now discussed and, where appropriate, example implementation steps are + provided. + </para> + + <variablelist> + <varlistentry> + <term>Winbind and Security</term> + <listitem><para><indexterm> + <primary>Winbind</primary> + </indexterm><indexterm> + <primary>Security</primary> + </indexterm><indexterm> + <primary>network</primary> + <secondary>administrators</secondary> + </indexterm><indexterm> + <primary>Domain users</primary> + </indexterm><indexterm> + <secondary>Domain account</secondary> + </indexterm><indexterm> + <primary>credentials</primary> + </indexterm><indexterm> + <primary>Network Neighborhood</primary> + </indexterm><indexterm> + <primary>UNIX/Linux server</primary> + </indexterm><indexterm> + <primary>browse</primary> + </indexterm><indexterm> + <primary>shares</primary> + </indexterm> + Windows network administrators may be dismayed to find that <command>winbind</command> + exposes all Domain users so that they may use their Domain account credentials to + log onto a UNIX/Linux system. The fact that all users in the Domain can see the + UNIX/Linux server in their Network Neighborhood and can browse the shares on the + server seems to excite them further. + </para> + + <para><indexterm> + <primary>Domain Member server</primary> + </indexterm><indexterm> + <primary>familiar</primary> + </indexterm><indexterm> + <primary>fear</primary> + </indexterm><indexterm> + <primary>unknown</primary> + </indexterm> + <command>winbind</command> provides for the UNIX/Linux Domain Member server or + client, the same as one would obtain by adding a Microsoft Windows server or + client to the Domain. The real objection is the fact that Samba is not MS Windows + and, therefore, requires handling a little differently from the familiar Windows systems. + One must recognize fear of the unknown. + </para> + + <para><indexterm> + <primary>network administrators</primary> + </indexterm><indexterm> + <primary>recognize</primary> + </indexterm><indexterm> + <primary>winbind</primary> + </indexterm><indexterm> + <primary>over-ride</primary> + </indexterm><indexterm> + <primary>Active Directory</primary> + <secondary>management tools</secondary> + </indexterm><indexterm> + <primary>fears</primary> + </indexterm> + Windows network administrators need to recognize that <command>winbind</command> does + not, and cannot, override account controls set using the Active Directory management + tools. The control is the same. Have no fear. + </para> + + <para><indexterm> + <primary>ADS Domain</primary> + </indexterm><indexterm> + <primary>account</primary> + <secondary>ADS Domain</secondary> + </indexterm><indexterm> + <primary>winbind</primary> + </indexterm><indexterm> + <primary>browsing</primary> + </indexterm><indexterm> + <primary>permits</primary> + </indexterm><indexterm> + <primary>access</primary> + </indexterm><indexterm> + <primary>drive mapping</primary> + </indexterm><indexterm> + <primary>protected</primary> + </indexterm><indexterm> + <primary>security controls</primary> + </indexterm><indexterm> + <primary>access controls</primary> + </indexterm> + Where Samba and the ADS Domain account information obtained through the use of + <command>winbind</command> permits access, by browsing or by the drive mapping to + a share, to data that should be better protected. This can only happen when security + controls have not been properly implemented. Samba permits access controls to be set + on: + </para> + + <itemizedlist> + <listitem><para>Shares themselves (i.e., the logical share itself)</para></listitem> + <listitem><para>The share definition in &smb.conf;</para></listitem> + <listitem><para>The shared directories and files using UNIX permissions</para></listitem> + <listitem><para>Using Windows 2000 ACLs &smbmdash; if the file system is Posix enabled</para></listitem> + </itemizedlist> + + <para> + Examples of each are given in <link linkend="ch10expl"/>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>User and Group Controls</term> + <listitem><para><indexterm> + <primary>User and Group Controls</primary> + </indexterm><indexterm> + <primary>management</primary> + <secondary>User</secondary> + </indexterm><indexterm> + <primary>management</primary> + <secondary>group</secondary> + </indexterm><indexterm> + <primary>ADS</primary> + </indexterm><indexterm> + <primary>permissions</primary> + </indexterm><indexterm> + <primary>privileges</primary> + </indexterm><indexterm> + <primary>flexibility</primary> + </indexterm><indexterm> + <primary>access controls</primary> + </indexterm><indexterm> + <primary>share definition</primary> + </indexterm> + User and group management facilities as known in the Windows ADS environment may be + used to provide equivalent access control constraints or to provide equivalent + permissions and privileges on Samba servers. Samba offers greater flexibility in the + use of user and group controls because it has additional layers of control compared to + Windows 200x/XP. For example, access controls on a Samba server may be set within + the share definition in a manner for which Windows has no equivalent. + </para> + + <para><indexterm> + <primary>analysis</primary> + </indexterm><indexterm> + <primary>system security</primary> + </indexterm><indexterm> + <primary>safe-guards</primary> + </indexterm><indexterm> + <primary>permissions</primary> + <secondary>excessive</secondary> + </indexterm><indexterm> + <primary>file system</primary> + </indexterm><indexterm> + <primary>shared resource</primary> + </indexterm><indexterm> + <primary>share definition</primary> + </indexterm> + In any serious analysis of system security, it is important to examine the safeguards + that remain when all other protective measures fail. An administrator may inadvertently + set excessive permissions on the file system of a shared resource, or he may set excessive + privileges on the share itself. If that were to happen in a Windows 2003 Server environment, + the data would indeed be laid bare to abuse. Yet, within a Samba share definition, it is + possible to guard against that by enforcing controls on the share definition itself. You + see a practical example of this a little later in this chapter. + </para> + + <para><indexterm> + <primary>diligence</primary> + </indexterm><indexterm> + <primary>weakness</primary> + </indexterm> + The report that is critical of Samba really ought to have exercised greater due + diligence, as the real weakness is on the side of a Microsoft Windows environment. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>Security Overall</term> + <listitem><para><indexterm> + <primary>defects</primary> + </indexterm> + Samba has been designed in such a manner that weaknesses inherent in the design of + Microsoft Windows networking ought not to expose the underlying UNIX/Linux file + system in any way. All software has potential defects, and Samba is no exception. + What matters more is how defects that are discovered get dealt with. + </para> + + <para><indexterm> + <primary>security</primary> + </indexterm><indexterm> + <primary>protection</primary> + </indexterm><indexterm> + <primary>compromise</primary> + </indexterm><indexterm> + <primary>consequential risk</primary> + </indexterm> + The Samba Team totally agrees with the necessity to observe and fully implement + every security facility to provide a level of protection and security that is necessary + and that the end user (or network administrator) needs. Never would the Samba Team + recommend a compromise to system security, nor would deliberate defoliation of + security be publicly condoned; yet this is the practice by many Windows network + administrators just to make happy users who have no notion of consequential risk. + </para> + + <para><indexterm> + <primary>condemns</primary> + </indexterm><indexterm> + <primary>security fixes</primary> + </indexterm><indexterm> + <primary>updates</primary> + </indexterm><indexterm> + <primary>development</primary> + </indexterm><indexterm> + <primary>documentation</primary> + </indexterm><indexterm> + <primary>security updates</primary> + </indexterm><indexterm> + <primary>turn-around time</primary> + </indexterm> + The report condemns Samba for releasing updates and security fixes, yet Microsoft + on-line updates need to be applied almost weekly. The answer to the criticism made + lies in the fact that Samba development is continuing, documentation is improving, + user needs are being increasingly met or exceeded, and security updates are issued + with a short turnaround time. + </para> + + <para><indexterm> + <primary>modularization</primary> + </indexterm><indexterm> + <primary>next generation</primary> + </indexterm><indexterm> + <primary>responsible</primary> + </indexterm><indexterm> + <primary>dependability</primary> + </indexterm><indexterm> + <primary>road-map</primary> + <secondary>published</secondary> + </indexterm> + The release of Samba-4 is expected around late 2004 to early 2005 and involves a near + complete rewrite to permit extensive modularization and to prepare Samba for new + functionality planned for addition during the next generation series. The Samba Team + is responsible and can be depended upon; the history to date would suggest a high + degree of dependability as well as on charter development consistent with published + road-map projections. + </para> + + <para><indexterm> + <primary>foundation members</primary> + </indexterm><indexterm> + <primary>Common Internet File System</primary> + <see>CIFS</see> + </indexterm><indexterm> + <primary>network attached storage</primary> + <see>NAS</see> + </indexterm><indexterm> + <primary>conferences</primary> + </indexterm><indexterm> + <primary>presence and leadership</primary> + </indexterm><indexterm> + <primary>leadership</primary> + </indexterm><indexterm> + <primary>inter-operability</primary> + </indexterm> + Not well published is the fact that Microsoft was a foundation member of + the Common Internet File System (CIFS) initiative, together with the participation + of the network attached storage (NAS) industry. Unfortunately, for the past few years, + Microsoft has been absent from active involvement at CIFS conferences and has + not exercised the leadership expected of a major force in the networking technology + space. The Samba Team has maintained consistent presence and leadership at all + CIFS conferences and at the interoperability laboratories run concurrently with + them. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>Cryptographic Controls (schannel, sign'n'seal)</term> + <listitem><para><indexterm> + <primary>Cryptographic</primary> + </indexterm><indexterm> + <primary>schannel</primary> + </indexterm><indexterm> + <primary>digital sign'n'seal</primary> + </indexterm> + The report correctly mentions the fact that Samba did not support the most recent + <constant>schannel</constant> and <constant>digital sign'n'seal</constant> features + of Microsoft Windows NT/200x/XPPro products. This is one of the key features + of the Samba-3 release. Market research reports take so long to generate that they are + seldom a reflection of current practice, and in many respects reports are like a + pathology report &smbmdash; they reflect accurately (at best) status at a snap-shot in time. + Meanwhile, the world moves on. + </para> + + <para><indexterm> + <primary>public specifications</primary> + </indexterm><indexterm> + <primary>protocols</primary> + </indexterm><indexterm> + <primary>algorithm</primary> + </indexterm><indexterm> + <primary>compatible</primary> + </indexterm><indexterm> + <primary>network</primary> + <secondary>traffic</secondary> + <tertiary>observation</tertiary> + </indexterm><indexterm> + <primary>defensible standards</primary> + </indexterm><indexterm> + <primary>secure networking</primary> + </indexterm> + It should be pointed out that had clear public specifications for the protocols + been published, it would have been much easier to implement this and would have + taken less time to do. The sole mechanism used to find an algorithm that is compatible + with the methods used by Microsoft has been based on observation of network traffic + and trial-and-error implementation of potential techniques. The real value of public + and defensible standards is obvious to all, and would have enabled more secure networking + for everyone. + </para> + + <para><indexterm> + <primary>Critics</primary> + </indexterm><indexterm> + <primary>digital sign'n'seal</primary> + </indexterm> + Critics of Samba often ignore fundamental problems that may plague (or may have plagued) + the users of Microsoft's products also. Those who are first to criticize Samba + for not rushing into release of <constant>digital sign'n'seal</constant> support + often dismiss the problems that Microsoft has + <ulink url="http://support.microsoft.com/default.aspx?kbid=321733">acknowledged</ulink> + and for which a fix was provided. In fact, + <ulink url="http://www.tangent-systems.com/support/delayedwrite.html">Tangent Systems</ulink> + appears even today<footnote>January 2004</footnote> to not be sure that the problem has been resolved. + So it is evident that some delay in release of new functionality may have + fortuitous consequences. + </para> + + <para><indexterm> + <primary>secure networking protocols</primary> + </indexterm><indexterm> + <primary>refereed standards</primary> + </indexterm><indexterm> + <primary>proprietary</primary> + </indexterm><indexterm> + <primary>digital rights</primary> + </indexterm><indexterm> + <primary>protection</primary> + </indexterm><indexterm> + <primary>networking protocols</primary> + </indexterm><indexterm> + <primary>diffusion</primary> + </indexterm><indexterm> + <primary>consumer</primary> + </indexterm><indexterm> + <primary>choice</primary> + </indexterm> + One final comment is warranted. If companies want more secure networking protocols, + the most effective method by which this can be achieved is by users seeking + and working together to help define open and publicly refereed standards. The + development of closed source, proprietary methods that are developed in a + clandestine framework of secrecy, under claims of digital rights protection, does + not favor the diffusion of safe networking protocols, and certainly does not + help the consumer to make a better choice. + </para></listitem> + </varlistentry> + + <varlistentry> + <term>Active Directory Replacement with Kerberos, LDAP, and Samba</term> + <indexterm> + <primary>Active Directory</primary> + <secondary>Replacement</secondary> + </indexterm><indexterm> + <primary>Kerberos</primary> + </indexterm><indexterm> + <primary>LDAP</primary> + </indexterm><indexterm> + <primary>remote procedure call</primary> + <see>RPC</see> + </indexterm> + <listitem><para> + <literallayout> </literallayout> + The Microsoft networking protocols extensively make use of remote procedure call (RPC) + technology. Active Directory is not a simple mixture of LDAP and Kerberos together + with file and print services, but rather is a complex intertwined implementation + of them that uses RPCs that are not supported by any of these component technologies + and yet by which they are made to interoperate in ways that the components do not + support. + </para> + + <para><indexterm> + <primary>Active Directory</primary> + <secondary>Server</secondary> + </indexterm><indexterm> + <primary>OpenLDAP</primary> + </indexterm><indexterm> + <primary>Kerberos</primary> + </indexterm><indexterm> + <primary>project maintainers</primary> + </indexterm><indexterm> + <primary>LDAP</primary> + </indexterm> + In order to make the popular request for Samba to be an Active Directory Server a + reality, it is necessary to add to OpenLDAP, Kerberos, as well as Samba, RPC calls + that are not presently supported. The Samba Team has not been able to gain critical + overall support for all project maintainers to work together on the complex + challenge of developing and integrating the necessary technologies. Therefore, if + the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality + into the Samba project, this dream request can not become a reality. + </para> + + <para><indexterm> + <primary>missing RPC's</primary> + </indexterm><indexterm> + <primary>road-map</primary> + </indexterm><indexterm> + <primary>ADS</primary> + <secondary>server</secondary> + </indexterm><indexterm> + <primary>MMC</primary> + </indexterm><indexterm> + <primary>managed</primary> + </indexterm> + At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the + Samba development roadmap. If it is not on the published roadmap, it cannot be delivered + anytime soon. Ergo, ADS server support is not a current goal for Samba development. + The Samba Team is most committed to permitting Samba to be a full ADS Domain member + that is increasingly capable of being managed using Microsoft Windows MMC tools. + </para></listitem> + </varlistentry> + </variablelist> + + <sect3> + <title>Kerberos Exposed</title> + + <para><indexterm> + <primary>kerberos</primary> + </indexterm><indexterm> + <primary>unauthorized activities</primary> + </indexterm><indexterm> + <primary>authorized location</primary> + </indexterm> + Kerberos is a network authentication protocol that provides secure authentication for + client-server applications by using secret-key cryptography. Firewalls are an insufficient + barrier mechanism in todays networking world as at best they only restrict incoming network + traffic but can not prevent network traffic that comes from authorized locations from + performing unauthorized activities. + </para> + + <para><indexterm> + <primary>strong cryptography</primary> + </indexterm><indexterm> + <primary>identity</primary> + </indexterm><indexterm> + <primary>integrity</primary> + </indexterm> + Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol uses + strong cryptography so that a client can prove its identity to a server (and vice versa) across an + insecure network connection. After a client and server has used Kerberos to prove their identity, + they can also encrypt all of their communications to assure privacy and data integrity as they go + about their business. + </para> + + <para><indexterm> + <primary>trusted third-party</primary> + </indexterm><indexterm> + <primary>principals</primary> + </indexterm><indexterm> + <primary>trusting</primary> + </indexterm><indexterm> + <primary>kerberos</primary> + <secondary>server</secondary> + </indexterm><indexterm> + <primary>secret</primary> + </indexterm> + Kerberos is a trusted third-party service. That means that there is a third party (the kerberos + server) that is trusted by all the entities on the network (users and services, usually called + principals). All principals share a secret password (or key) with the kerberos server and this + enables principals to verify that the messages from the kerberos server are authentic. Thus + trusting the kerberos server, users and services can authenticate each other. + </para> + + <para><indexterm> + <primary>restricted export</primary> + </indexterm><indexterm> + <primary>MIT Kerberos</primary> + </indexterm><indexterm> + <primary>Heimdal Kerberos</primary> + </indexterm> + Kerberos was until recently a technology that was restricted from being exported from the United States. + For many years that hindered global adoption of more secure networking technologies both within the USA + as well as outside it. A free an unencumbered implementation of MIT Kerberos has been produced in Europe + and is available from the University of Paderborn, Sweden. It is known as the Heimdal Kerberos project. + In recent times the USA government has removed sanctions affecting the global distribution of MIT Kerberos. + It is likely that there will be a significant surge forward in the development of Kerberos enabled applications + and in the general deployment and use of Kerberos across the spectrum of the information technology industry. + </para> + + <para><indexterm> + <primary>Kerberos</primary> + <secondary>interoperability</secondary> + </indexterm> + A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation + of it. For example, a 2002 new report by <ulink url="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument">IDG</ulink> + states: + </para> + + <blockquote><para> + A Microsoft Corp. executive testified at the software giant's remedy hearing that the company goes to + great lengths to disclose interfaces and protocols that allow third-party software products to interact + with Windows. But a lawyer with the states suing Microsoft pointed out that when it comes to the company's + use of the Kerberos authentication specification, not everyone agrees. + </para> + + <para><indexterm> + <primary>Kerberos</primary> + <secondary>unspecified fields</secondary> + </indexterm> + Robert Short, vice president of Windows core technology at Microsoft, wrote in his direct testimony prepared + before his appearance that non-Microsoft operating systems can disregard the portion of the Kerberos version + 5 specification that Windows clients use for proprietary purposes and still achieve interoperability with + the Microsoft OS. Microsoft takes advantage of unspecified fields in the Kerberos specification for storing + Windows-specific authorization data, Short wrote. The designers of Kerberos left these fields undefined so + that software developers could add their own authorization information, he said. + </para></blockquote> + + <para><indexterm> + <primary>DCE</primary> + </indexterm><indexterm> + <primary>RPC</primary> + </indexterm> + It so happens that Microsoft Windows clients depend on and expect the contents of the <emphasis>unspecified + fields</emphasis> in the Kerberos 5 communications data stream for their Windows interoperability, in + particular when Samba is being expected to emulate a Windows Server 200x Domain Controller. But the interoperability + issue goes far deeper than this. In the Domain control protocols that are used by MS Windows XP Professional + there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment + (DCE) remote procedure calls (RPCs) that themselves are an integral part of the SMB/CIFS protocols as used by + Microsoft. + </para> + + <para> + Microsoft makes the following comment in a reference in a <ulink url="http://www.microsoft.com/technet/itsolutions/interop/mgmt/kerberos.asp"> + technet</ulink> article: + </para> + + <blockquote><para><indexterm> + <primary>Privilege Attribute Certificates</primary> + <see>PAC</see> + </indexterm><indexterm> + <primary>access control</primary> + </indexterm> + The DCE Security Services are also layered on the Kerberos protocol. DCE authentication services use RPC + representation of Kerberos protocol messages. In addition, DCE uses the authorization data field in Kerberos + tickets to convey Privilege Attribute Certificates (PACs) that define user identity and group membership. + The DCE PAC is used in a similar manner as Windows NT Security IDs for user authorization and access control. + Windows NT services will not be able to translate DCE PACs into Windows NT user and group identifiers. This + is not an issue with Kerberos interoperability, but rather an issue of interoperability between DCE and + Windows NT access control information. + </para></blockquote> + + </sect3> + + </sect2> + +</sect1> + +<sect1 id="ch10expl"> + <title>Implementation</title> + + <para> + The following procedures outline the implementation of the security measures discussed so far. + </para> + + <sect2> + <title>Share Access Controls</title> + + <para><indexterm> + <primary>Share Access Controls</primary> + </indexterm><indexterm> + <primary>filter</primary> + </indexterm><indexterm> + <primary>connection</primary> + </indexterm> + Access control entries placed on the share itself act as a filter at the time a when CIFS/SMB client (such as + Windows XP Pro) attempts to make a connection to the Samba server. + </para> + + <procedure> + <title>Create/Edit/Delete Share ACLs</title> + <step><para><indexterm> + <primary>Domain Administrator</primary> + </indexterm><indexterm> + <primary>account</primary> + </indexterm> + From a Windows 200x/XP Professional workstation, log onto the Domain using the Domain Administrator + account (on Samba Domains, this is usually the account called <constant>root</constant>). + </para></step> + + <step><para> + Click + <menuchoice> + <guimenu>Start</guimenu> + <guimenuitem>Settings</guimenuitem> + <guimenuitem>Control Panel</guimenuitem> + <guimenuitem>Administrative Tools</guimenuitem> + <guimenuitem>Computer Management</guimenuitem> + </menuchoice>. + </para></step> + + <step><para> + In the left panel, + <menuchoice> + <guimenu>[Right mouse menu item] Computer Management (Local)</guimenu> + <guimenuitem>Connect to another computer ...</guimenuitem> + <guimenuitem>Browse...</guimenuitem> + <guimenuitem>Advanced</guimenuitem> + <guimenuitem>Find Now</guimenuitem> + </menuchoice>. In the lower panel, click on the name of the server you wish to + administer. Click <menuchoice> + <guimenu>OK</guimenu> + <guimenuitem>OK</guimenuitem> + <guimenuitem>OK</guimenuitem> + </menuchoice>.<indexterm> + <primary>Computer Management</primary> + </indexterm> + In the left panel, the entry <guimenu>Computer Management (Local)</guimenu> should now reflect + the change made. For example, if the server you are administering is called <constant>FRODO</constant>, + the Computer Management entry should now say: <guimenu>Computer Management (FRODO)</guimenu>. + </para></step> + + <step><para> + In the left panel, click <menuchoice> + <guimenu>Computer Management (FRODO)</guimenu> + <guimenuitem>[+] Shared Folders</guimenuitem> + <guimenuitem>Shares</guimenuitem> + </menuchoice>. + </para></step> + + <step><para><indexterm> + <primary>ACLs</primary> + </indexterm><indexterm> + <primary>Share Permissions</primary> + </indexterm> + In the right panel, double-click on the share on which you wish to set/edit ACLs. This + will bring up the Properties panel. Click the <guimenu>Share Permissions</guimenu> tab. + </para></step> + + <step><para><indexterm> + <primary>access control settings</primary> + </indexterm><indexterm> + <primary>Everyone</primary> + </indexterm><indexterm> + <primary>full control</primary> + </indexterm><indexterm> + <primary>over-rule</primary> + </indexterm><indexterm> + <primary>permissions</primary> + </indexterm><indexterm> + <primary>rejected</primary> + </indexterm> + You may now edit/add/remove access control settings. Be very careful. Many problems have been + created by people who decided that Everyone should be rejected but one particular group should + have full control. This is a catch-22 situation because members of that particular group also + belong to the group <constant>Everyone</constant>, which therefore overrules any permissions + set for the permitted group. + </para></step> + + <step><para> + When you are done with editing, close all panels by clicking through the <guimenu>OK</guimenu> + buttons. + </para></step> + </procedure> + + </sect2> + + <sect2> + <title>Share Definition Controls</title> + + <para><indexterm> + <primary>Share Definition</primary> + <secondary>Controls</secondary> + </indexterm><indexterm> + <primary>check-point</primary> + </indexterm><indexterm> + <primary>pile-driver</primary> + </indexterm><indexterm> + <primary>credential</primary> + </indexterm><indexterm> + <primary>powers</primary> + </indexterm><indexterm> + <primary>privileges</primary> + </indexterm> + Share-definition-based access controls can be used like a check-point or like a pile-driver. Just as a + check-point can be used to require someone who wants to get through to meet certain requirements, so + it is possible to require the user (or group the user belongs to) to meet specified credential-related + objectives. It can be likened to a pile-driver by overriding default controls, in that having met the + credential-related objectives, the user can be granted powers and privileges that would not normally be + available under default settings. + </para> + + <para><indexterm> + <primary>access controls</primary> + </indexterm><indexterm> + <primary>ACLs</primary> + </indexterm><indexterm> + <primary>share definition controls</primary> + </indexterm><indexterm> + <primary>hierarchy of control</primary> + </indexterm> + It must be emphasized that the controls here discussed can act as a filter, or give rights of passage, + that act as a super-structure over normal directory and file access controls. However, share level + ACLs act at a higher level than to share definition controls because the user must filter through the + share level controls to get to the share definition controls. The proper hierarchy of controls implemented + by Samba and Windows networking consists of: + </para> + + <orderedlist> + <listitem><para>Share Level ACLs</para></listitem> + <listitem><para>Share Definition Controls</para></listitem> + <listitem><para>Directory and File Permissions</para></listitem> + <listitem><para>Directory and File Posix ACLs</para></listitem> + </orderedlist> + + <sect3> + <title>Check-point Controls</title> + + <para><indexterm> + <primary>Check-point Controls</primary> + </indexterm> + Consider the following extract from a &smb.conf; file defining the share called <constant>Apps</constant>: +<screen> +[Apps] + comment = Application Share + path = /data/apps + read only = Yes + valid users = @Employees +</screen> + This definition permits only those who are members of the group called <constant>Employees</constant> to + access the share. + </para> + + <note><para><indexterm> + <primary>Domain Member</primary> + <secondary>servers</secondary> + </indexterm><indexterm> + <primary>winbind use default domain</primary> + </indexterm><indexterm> + <primary>fully qualified</primary> + </indexterm><indexterm> + <primary>valid users</primary> + </indexterm><indexterm> + <primary>delimiter</primary> + </indexterm> + On Domain Member servers and clients, even when the <parameter>winbind use default domain</parameter> has + been specified, the use of Domain accounts in security controls requires fully qualified Domain specification, + for example, <smbconfoption name="valid users">@"MEGANET\Northern Engineers"</smbconfoption>. + Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a + delimiter. + </para></note> + + <para><indexterm> + <primary>ACL</primary> + </indexterm><indexterm> + <primary>access</primary> + </indexterm><indexterm> + <primary>validate</primary> + </indexterm> + If there is an ACL on the share itself to permit read/write access for all <constant>Employees</constant> + as well as read/write for the group <constant>Doctors</constant>, both groups are permitted through + to the share. However, at the moment an attempt is made to set up a connection to the share, a member of + the group <constant>Doctors</constant>, who is not also a member of the group <constant>Employees</constant>, + would immediately fail to validate. + </para> + + <para><indexterm> + <primary>share definition controls</primary> + </indexterm> + Consider another example. In this case, you want to permit all members of the group <constant>Employees</constant> + to access the <constant>Apps</constant> share, except the user <constant>patrickj</constant>. This can be + easily achieved by setting a share level ACL permitting only <constant>Employees</constant> to access the share, + and then in the share definition controls excluding just <constant>patrickj</constant>. Here is how that might + be done: +<screen> +[Apps] + comment = Application Share + path = /data/apps + read only = Yes + invalid users = patrickj +</screen> + <indexterm> + <primary>permissions</primary> + </indexterm> + Let us assume that you want to permit the user <constant>gbshaw</constant>, to manage any file in the + UNIX/Linux file system directory <filename>/data/apps</filename>, but you do not want to grant any write + permissions beyond that directory tree. Here is one way this can be done: +<screen> +[Apps] + comment = Application Share + path = /data/apps + read only = Yes + invalid users = patrickj + admin users = gbshaw +</screen> + <indexterm> + <primary>administrative rights</primary> + </indexterm> + Now we have a set of controls that permits only <constant>Employees</constant> who are also members of + the group <constant>Doctors</constant>, excluding the user <constant>patrickj</constant>, to have + read-only privilege, but the user <constant>gbshaw</constant> is granted administrative rights. + The administrative rights conferred upon the user <constant>gbshaw</constant> permit operation as + if that user has logged in as the user <constant>root</constant> on the UNIX/Linux system, and thus + for access to the directory tree that has been shared (exported) permit the user to override controls + that apply to all other users on that resource. + </para> + + <para> + There are additional check-point controls that may be used. For example, if for the same share we now + want to provide the user <constant>peters</constant> with the ability to write to one directory to + which he has write privilege in the UNIX file system, you can specifically permit that with the + following settings: +<screen> +[Apps] + comment = Application Share + path = /data/apps + read only = Yes + invalid users = patrickj + admin users = gbshaw + write list = peters +</screen> + <indexterm> + <primary>check-point controls</primary> + </indexterm> + This is a particularly complex example at this point, but it begins to demonstrate the possibilities. + You should refer to the on-line manual page for the &smb.conf; file for more information regarding + the check-point controls that Samba implements. + </para> + + </sect3> + + <sect3> + <title>Override Controls</title> + + <para><indexterm> + <primary>over-ride controls</primary> + </indexterm> + Override controls implemented by Samba permit actions like the adoption of a different identity + during file system operations, the forced overwriting of normal file and directory permissions, + and so on. You should refer to the on-line manual page for the &smb.conf; file for more information regarding + the override controls that Samba implements. + </para> + + <para> + In the following example, you want to create a Windows networking share that any user can access. + However, you want all read and write operations to be performed as if the user <constant>billc</constant> + and member of the group <constant>Mentors</constant> read/write the files. Here is one way this + can be done: +<screen> +[someshare] + comment = Some Files Everyone May Overwrite + path = /data/somestuff + read only = No + force user = billc + force group = Mentors +</screen> + <indexterm> + <primary>forced settings</primary> + </indexterm><indexterm> + <primary>overheads</primary> + </indexterm> + That is all there is to it. Well, it is almost that simple. The downside of this method is that + users are logged onto the Windows client as themselves, and then immediately before accessing the + file, Samba makes system calls to change the effective user and group to the forced settings + specified, completes the file transaction, and then reverts to the actually logged on identity. + This imposes significant overhead on Samba. The alternative way that effectively the same result + can be achieved (but with lower system CPU overheads) is described next. + </para> + + <para><indexterm> + <primary>force user</primary> + </indexterm><indexterm> + <primary>force group</primary> + </indexterm><indexterm> + <primary>opportunistic</primary> + <secondary>locking</secondary> + </indexterm><indexterm> + <primary>oplock break</primary> + </indexterm><indexterm> + <primary>performance degradation</primary> + </indexterm> + The use of the <parameter>force user</parameter>, or the <parameter>force group</parameter>, may + also have a severe impact on system (and in particular Windows client) performance. If opportunistic + locking is enabled on the share (the default), it causes an <constant>oplock break</constant> to be + sent to the client, even if the client has not opened the file. On networks that have high traffic + density, or on links that are routed to a remote network segment, <constant>oplock breaks</constant> + can be lost. This results in possible retransmission of the request, or the client may time-out while + waiting for the file system transaction (read or write) to complete. The result can be a profound + apparent performance degradation as the client continually attempts to reconnect to overcome the + effect of the lost <constant>oplock break</constant>, or time-out. + </para> + + </sect3> + + </sect2> + + <sect2> + <title>Share Point Directory and File Permissions</title> + + <para><indexterm> + <primary>security</primary> + </indexterm><indexterm> + <primary>privilege controls</primary> + </indexterm><indexterm> + <primary>permission</primary> + </indexterm><indexterm> + <primary>share definition controls</primary> + </indexterm> + Samba has been designed and implemented so that it respects as far as is feasible the security and + user privilege controls that are built into the UNIX/Linux operating system. Samba does nothing + with respect to file system access that violates file system permission settings, unless it is + explicitly instructed to do otherwise through share definition controls. Given that Samba obeys + UNIX file system controls, this chapter does not document simple information that can be obtained + from a basic UNIX training guide. Instead, one common example of a typical problem is used + to demonstrate the most effective solution referred to in the immediately preceding paragraph. + </para> + + <para><indexterm> + <primary>Microsoft Office</primary> + </indexterm><indexterm> + <primary>Word</primary> + </indexterm><indexterm> + <primary>Excel</primary> + </indexterm> + One of the common issues that repeatedly pops up on the Samba mailing lists involves the saving of + Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence: + </para> + + <orderedlist> + <listitem><para> + A user opens a Work document from a network drive. The file was owned by user <constant>janetp</constant> + and <group>users</group>, and was set read/write enabled for everyone. + </para></listitem> + + <listitem><para> + File changes and edits are made. + </para></listitem> + + <listitem><para> + The file is saved, and MS Word is closed. + </para></listitem> + + <listitem><para> + The file is now owned by the user <constant>billc</constant> and group <constant>doctors</constant>, + and is set read/write by <constant>billc</constant>, read only by <constant>doctors</constant>, and + no access by everyone. + </para></listitem> + + <listitem><para> + The original owner can not now access her own file and is <quote>justifiably</quote> upset. + </para></listitem> + </orderedlist> + + <para> + There have been many postings over the years that report the same basic problem. Frequently Samba users + want to know when this <quote>bug</quote> will be fixed. The fact is, this is not a bug in Samba at all. + Here is the real sequence of what happens in the case mentioned above. + </para> + + <para><indexterm> + <primary>MS Word</primary> + </indexterm><indexterm> + <primary>ownership</primary> + </indexterm><indexterm> + <primary>permissions</primary> + </indexterm> + When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned + by the user who creates the file (<constant>billc</constant>) and has the permissions that follow + that user's default settings within the operating system (UNIX/Linux). When MS Word has finished writing + the file to disk, it then renames the new (temporary) file to the name of the old one. MS Word does not + change the ownership or permissions to what they were on the original file. The file is thus a totally + new file, and the old one has been deleted in the process. + </para> + + <para> + Samba received a request to create a new file, and then to rename the file to a new name. The old file that + has the same name is now automatically deleted. Samba has no way of knowing that the new file should + perhaps have the same ownership and permissions as the old file. To Samba, these are entirely independent + operations. + </para> + + <para> + The question is: <quote>How can we solve the problem?</quote> + </para> + + <para> + The solution is simple. Use UNIX file system permissions and controls to your advantage. Follow these + simple steps to create a share in which all files will consistently be owned by the same user and the + same group: + </para> + + + <procedure> + <title>Using Directory Permissions to Force File User and Group Ownership</title> + <step><para> + Change your share definition so that it matches this pattern: +<screen> +[finance] + path = /usr/data/finance + browseable = Yes + read only = No +</screen> + </para></step> + + <step><para><indexterm> + <primary>permissions</primary> + <secondary>user</secondary> + </indexterm><indexterm> + <primary>permissions</primary> + <secondary>group</secondary> + </indexterm> + Set consistent user and group permissions recursively down the directory tree as shown here: +<screen> +&rootprompt; chown -R janetp.users /usr/data/finance +</screen> + </para></step> + + <step><para><indexterm> + <primary>accessible</primary> + </indexterm> + Set the files and directory permissions to be read/write for owner and group, and not accessible + to others (everyone) using the following command: +<screen> +&rootprompt; chmod ug+rwx,o-rwx /usr/data/finance +</screen> + </para></step> + + <step><para><indexterm> + <primary>SGID</primary> + </indexterm> + Set the SGID (super-group) bit on all directories from the top down. This means all files + can be created with the permissions of the group set on the directory. It means all users + who are members of the group <constant>finance</constant> can read and write all files in + the directory. The directory is not readable or writable by anyone who is not in the + <constant>finance</constant> group. Simply follow this example: +<screen> +&rootprompt; find /usr/data/finance -type d -exec chmod ug+s {}\; +</screen> + + </para></step> + + <step><para><indexterm> + <primary>group membership</primary> + </indexterm><indexterm> + <primary>primary group</primary> + </indexterm><indexterm> + <primary>/etc/passwd</primary> + </indexterm> + Make sure all users that must have read/write access to the directory have + <constant>finance</constant> group membership as their primary group, + for example, the group they belong to in <filename>/etc/passwd</filename>. + </para></step> + </procedure> + + </sect2> + + <sect2> + <title>Managing Windows 200x ACLs</title> + + <para><indexterm> + <primary>translate</primary> + </indexterm><indexterm> + <primary>Windows 2000 ACLs</primary> + </indexterm><indexterm> + <primary>Posix ACLs</primary> + </indexterm><indexterm> + <primary>side effects</primary> + </indexterm> + Samba must translate Windows 2000 ACLs to UNIX Posix ACLs. This has some interesting side effects because + of the fact that there is not a 1:1 equivalence between them. The as-close-as-possible ACLs match means + that some transactions are not possible from MS Windows clients. One of these is to reset the ownership + of directories and files. If you want to reset ownership, this must be done from a UNIX/Linux login. + </para> + + <para> + There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation, + either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface. + </para> + + <sect3> + <title>Using the MMC Computer Management Interface</title> + + <procedure> + <step><para> + From a Windows 200x/XP Professional workstation, log onto the Domain using the Domain Administrator + account (on Samba Domains, this is usually the account called <constant>root</constant>). + </para></step> + + <step><para> + Click + <menuchoice> + <guimenu>Start</guimenu> + <guimenuitem>Settings</guimenuitem> + <guimenuitem>Control Panel</guimenuitem> + <guimenuitem>Administrative Tools</guimenuitem> + <guimenuitem>Computer Management</guimenuitem> + </menuchoice>. + </para></step> + + <step><para> + In the left panel, + <menuchoice> + <guimenu>[Right mouse menu item] Computer Management (Local)</guimenu> + <guimenuitem>Connect to another computer ...</guimenuitem> + <guimenuitem>Browse...</guimenuitem> + <guimenuitem>Advanced</guimenuitem> + <guimenuitem>Find Now</guimenuitem> + </menuchoice>. In the lower panel, click on the name of the server you wish to + administer. Click <menuchoice> + <guimenu>OK</guimenu> + <guimenuitem>OK</guimenuitem> + <guimenuitem>OK</guimenuitem> + </menuchoice>. + In the left panel, the entry <guimenu>Computer Management (Local)</guimenu> should now reflect + the change made. For example, if the server you are administering is called <constant>FRODO</constant>, + the Computer Management entry should now say: <guimenu>Computer Management (FRODO)</guimenu>. + </para></step> + + <step><para> + In the left panel, click <menuchoice> + <guimenu>Computer Management (FRODO)</guimenu> + <guimenuitem>[+] Shared Folders</guimenuitem> + <guimenuitem>Shares</guimenuitem> + </menuchoice>. + </para></step> + + <step><para><indexterm> + <primary>Security</primary> + </indexterm><indexterm> + <primary>Properties</primary> + </indexterm><indexterm> + <primary>Permissions</primary> + </indexterm><indexterm> + <primary>Samba Domain server</primary> + </indexterm> + In the right panel, double-click on the share on which you wish to set/edit ACLs. This + brings up the Properties panel. Click the <guimenu>Security</guimenu> tab. It is best + to edit ACLs using the <constant>Advanced</constant> editing features. Click the + <guimenu>Advanced</guimenu> button. This opens a panel that has four tabs. Only the + functionality under the <constant>Permissions</constant> tab can be utilized with respect + to a Samba Domain server. + </para></step> + + <step><para><indexterm> + <primary>access control</primary> + </indexterm><indexterm> + <primary>permitted group</primary> + </indexterm> + You may now edit/add/remove access control settings. Be very careful. Many problems have been + created by people who decided that Everyone should be rejected but one particular group should + have full control. This is a catch-22 situation because members of that particular group also + belong to the group <constant>Everyone</constant>, which therefore overrules any permissions + set for the permitted group. + </para></step> + + <step><para> + When you are done with editing, close all panels by clicking through the <guimenu>OK</guimenu> + buttons until the last panel closes. + </para></step> + </procedure> + + </sect3> + + <sect3> + <title>Using MS Windows Explorer (File Manager)</title> + + <para> + The following alternative method may be used from a Windows workstation. In this example we work + with a Domain called <constant>MEGANET</constant>, a server called <constant>MASSIVE</constant>, and a + share called <constant>Apps</constant>. The underlying UNIX/Linux share point for this share is + <filename>/data/apps</filename>. + </para> + + <procedure> + <step><para> + Click <menuchoice> + <guimenu>Start</guimenu> + <guimenuitem>[right-click] My Computer</guimenuitem> + <guimenuitem>Explore</guimenuitem> + <guimenuitem>[left panel] [+] My Network Places</guimenuitem> + <guimenuitem>[+] Entire Network</guimenuitem> + <guimenuitem>[+] Microsoft Windows Network</guimenuitem> + <guimenuitem>[+] Meganet</guimenuitem> + <guimenuitem>[+] Massive</guimenuitem> + <guimenuitem>[right-click] Apps</guimenuitem> + <guimenuitem>Properties</guimenuitem> + <guimenuitem>Security</guimenuitem> + <guimenuitem>Advanced</guimenuitem> + </menuchoice>. This opens a panel that has four tabs. Only the functionality under the + <constant>Permissions</constant> tab can be utilized in respect to a Samba Domain server. + </para></step> + + <step><para><indexterm> + <primary>full control</primary> + </indexterm><indexterm> + <primary>over-rule</primary> + </indexterm> + You may now edit/add/remove access control settings. Be very careful. Many problems have been + created by people who decided that Everyone should be rejected but one particular group should + have full control. This is a catch-22 situation because members of that particular group also + belong to the group <constant>Everyone</constant>, which therefore overrules any permissions + set for the permitted group. + </para></step> + + <step><para> + When you are done with editing, close all panels by clicking through the <guimenu>OK</guimenu> + buttons until the last panel closes. + </para></step> + </procedure> + + </sect3> + + <sect3> + <title>Setting Posix ACLs in UNIX/Linux</title> + + <para><indexterm> + <primary>desired security setting</primary> + </indexterm><indexterm> + <primary>shared resource</primary> + </indexterm> + Yet another alternative method for setting desired security settings on the shared resource files and + directories can be achieved by logging into UNIX/Linux and setting Posix ACLs directly using command-line + tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9 + Linux system: + </para> + + <procedure> + <step><para> + Log into the Linux system as the user <constant>root</constant>. + </para></step> + + <step><para> + Change directory to the location of the exported (shared) Windows file share (Apps), which is in + the directory <filename>/data</filename>. Execute the following: +<screen> +&rootprompt; cd /data +</screen> + Retrieve the existing Posix ACLs entry by executing: +<screen> +&rootprompt; getfacl apps +# file: apps +# owner: root +# group: root +user::rwx +group::rwx +other::r-x +</screen> + </para></step> + + <step><para><indexterm> + <primary>recursively</primary> + </indexterm> + You want to add permission for <constant>AppsMgrs</constant> to enable them to + manage the applications (apps) share. It is important to set the ACL recursively + so that the AppsMgrs have this capability throughout the directory tree that is + being shared. This is done using the <constant>-R</constant> option as shown. + Execute the following: +<screen> +&rootprompt; setfacl -m -R group:AppsMgrs:rwx /data/apps +</screen> + Because setting an ACL does not provide a response, you immediately validate the command executed + as follows: +<screen> +&rootprompt; getfacl /data/apps +# file: apps +# owner: root +# group: root +user::rwx +group::rwx +group:AppsMgrs:rwx +mask::rwx +other::r-x +</screen> + This confirms that the change of Posix ACL permissions has been effective. + </para></step> + + <step><para><indexterm> + <primary>setfacl</primary> + </indexterm><indexterm> + <primary>getfacl</primary> + </indexterm><indexterm> + <primary>directory tree</primary> + </indexterm><indexterm> + <primary>Windows ACLs</primary> + </indexterm><indexterm> + <primary>inheritance</primary> + </indexterm> + It is highly recommend that you should read the on-line manual page for the <command>setfacl</command> + and <command>getfacl</command> commands. This provides information regarding how to set/read the default + ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent + of setting <constant>inheritance</constant> properties. + </para></step> + </procedure> + + </sect3> + + </sect2> + + <sect2> + <title>Key Points Learned</title> + + <para> + The mish-mash of issues were thrown together into one chapter because it seemed like a good idea. + Looking back, this chapter could be broken into two, but it's too late now. It has been done. + The highlights covered are: + </para> + + <itemizedlist> + <listitem><para><indexterm> + <primary>Winbind</primary> + </indexterm><indexterm> + <primary>Active Directory</primary> + </indexterm><indexterm> + <primary>password change</primary> + </indexterm><indexterm> + <primary>logon hours</primary> + </indexterm> + Winbind honors and does not override account controls set in Active Directory. + This means that password change, logon hours, and so on, are (or soon will be) enforced + by Samba Winbind. At this time, an out-of-hours login is denied and password + change is enforced. At this time, if logon hours expire, the user is not forcibly + logged off. That may be implemented at some later date. + </para></listitem> + + <listitem><para><indexterm> + <primary>Sign'n'seal</primary> + </indexterm><indexterm> + <primary>schannel</primary> + </indexterm> + Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential + problems acknowledged by Microsoft as having been fixed, but reported by some as still + possibly an open issue. + </para></listitem> + + <listitem><para><indexterm> + <primary>Kerberos</primary> + </indexterm><indexterm> + <primary>OpenLDAP</primary> + </indexterm><indexterm> + <primary>Active Directory</primary> + </indexterm><indexterm> + <primary>inter-operability</primary> + </indexterm> + The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft + Active Directory. The possibility to do this is not planned in the current Samba-3 + roadmap. Samba-3 does aim to provide further improvements in interoperability so that + UNIX/Linux systems may be fully integrated into Active Directory Domains. + </para></listitem> + + <listitem><para> + This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of + the four key methodologies was reviewed with specific reference to example deployment + techniques. + </para></listitem> + </itemizedlist> + + </sect2> + +</sect1> + +<sect1> + <title>Questions and Answers</title> + + <para> + </para> + + <qandaset defaultlabel="chap10qa" type="number"> + <qandaentry> + <question> + + <para><indexterm> + <primary>Sign'n'seal</primary> + </indexterm><indexterm> + <primary>registry hacks</primary> + </indexterm> + Does Samba-3 require the <constant>Sign'n'seal</constant> registry hacks needed by Samba-2? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>schannel</primary> + </indexterm><indexterm> + <primary>Sign'n'seal</primary> + </indexterm><indexterm> + <primary>registry change</primary> + </indexterm> + No. Samba-3 fully supports <constant>Sign'n'seal</constant> as well as <constant>schannel</constant> + operation. The registry change should not be applied when Samba-3 is used as a Domain Controller. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + Does Samba-3 support Active Directory? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>Active Directory</primary> + </indexterm> + Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not + provide Active Directory services. It cannot be used to replace a Microsoft Active Directory + server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, + and it can function as an Active Directory Domain Member server. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>mixed-mode</primary> + </indexterm> + When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was + necessary with Samba-2? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>native</primary> + </indexterm> + No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x + Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, + as Samba-3 can join a native Windows 2003 Server ADS Domain. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>share level access controls</primary> + </indexterm> + Is it safe to set share level access controls in Samba? + </para> + + </question> + <answer> + + <para> + Yes. Share level access controls have been supported since early versions of Samba-2. This is + very mature technology. Not enough sites make use of this powerful capability, neither on + Windows server or with Samba servers. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>share ACLs</primary> + </indexterm> + Is it mandatory to set share ACLs to get a secure Samba-3 server? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>file system security</primary> + </indexterm><indexterm> + <primary>Windows 200x ACLs</primary> + </indexterm><indexterm> + <primary>share definition controls</primary> + </indexterm><indexterm> + <primary>share level ACL</primary> + </indexterm><indexterm> + <primary>security</primary> + </indexterm> + No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides + means of securing shares through share definition controls in the &smb.conf; file. The additional + support for share level ACLs is like frosting on the cake. It adds to security, but is not essential + to it. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>valid users</primary> + </indexterm> + The <parameter>valid users</parameter> did not work on the <smbconfsection name="[homes]"/>. + Has this functionality been restored yet? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>meta-service</primary> + </indexterm> + Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard + on the <smbconfsection name="[homes]"/> meta-service. The correct way to specify this is: + <smbconfoption name="valid users">%S</smbconfoption>. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>force user</primary> + </indexterm><indexterm> + <primary>force group</primary> + </indexterm><indexterm> + <primary>bias</primary> + </indexterm> + Is the bias against use of the <parameter>force user</parameter> and <parameter>force group</parameter> + really warranted? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>performance</primary> + </indexterm> + There is no bias. There is a determination to recommend the right tool for the task at hand. + After all, it is better than putting users through performance problems, isn't it? + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + The example given for file and directory access control forces all files to be owned by one + particular user. I do not like that. Is there any way I can see who created the file? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>SUID</primary> + </indexterm> + Sure. You do not have to set the SUID bit on the directory. Simply execute the following command + to permit file ownership to be retained by the user who created it: +<screen> +&rootprompt; find /usr/data/finance -type d -exec chmod g+s {}\; +</screen> + Note that this required no more than removing the <constant>u</constant> argument so that the + SUID bit is not set for the owner. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>Computer Management</primary> + </indexterm> + In the book, <quote>The Official Samba-3 HOWTO and Reference Guide</quote>, you recommended use + of the Windows NT4 Server Manager (part of the <filename>SRVTOOLS.EXE</filename>) utility. Why + have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>MMC</primary> + </indexterm><indexterm> + <primary>SRVTOOLS.EXE</primary> + </indexterm> + Either tool can be used with equal effect. There is no benefit of one over the other, except that + the MMC utility is present on all Windows 200x/XP systems and does not require additional software + to be downloaded and installed. Note that if you want to manage user and group accounts in your + Samba controlled Domain, the only tool that permits that is the NT4 Domain User Manager which + is provided as part of the <filename>SRVTOOLS.EXE</filename> utility. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>valid users</primary> + </indexterm><indexterm> + <primary>Active Directory</primary> + </indexterm><indexterm> + <primary>Domain Member server</primary> + </indexterm> + I tried to set <parameter>valid users = @Engineers</parameter>, but it does not work. My Samba + server is an Active Directory Domain Member server. Has this been fixed now? + </para> + + </question> + <answer> + + <para> + The use of this parameter has always required the full specification of the Domain account, for + example, <parameter>valid users = @"MEGANET2\Domain Admins"</parameter>. + </para> + + </answer> + </qandaentry> + + </qandaset> + +</sect1> + +</chapter> + |