From c4e3642617b98f86e2123ef4ca596b20e8a69aca Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 5 Jul 2005 18:21:15 +0000 Subject: Fix changed link - thanks Eric. (This used to be commit f92e5f6392d0afaa9b24d7af1329b3923c7f9576) --- docs/Samba3-ByExample/SBE-KerberosFastStart.xml | 46 +++++++++++-------------- docs/Samba3-ByExample/SBE-MakingHappyUsers.xml | 10 ++++-- 2 files changed, 29 insertions(+), 27 deletions(-) (limited to 'docs/Samba3-ByExample') diff --git a/docs/Samba3-ByExample/SBE-KerberosFastStart.xml b/docs/Samba3-ByExample/SBE-KerberosFastStart.xml index 58ac2b6931..e2b2e4b83e 100644 --- a/docs/Samba3-ByExample/SBE-KerberosFastStart.xml +++ b/docs/Samba3-ByExample/SBE-KerberosFastStart.xml @@ -766,9 +766,10 @@ acknowledged and for which a fix was provided. In fact, Tangent Systems - appears even todayJanuary 2004 to be unsure whether the problem has been resolved, - it is evident that some delay in release of new functionality may have - fortuitous consequences. + have documented a significant problem with delays writes that can be connected with the + implementation of sign'n'seal. They provide a work-around that is not trivial for many + Windows networking sites. From notes such as this it is clear that there are benefits + from not rushing new technology out of the door too soon. @@ -915,13 +916,10 @@ trusting the kerberos server, users and services can authenticate each other. - - restricted export - - MIT Kerberos - - Heimdal Kerberos - + + restricted export + MIT Kerberos + Heimdal Kerberos Kerberos was, until recently, a technology that was restricted from being exported from the United States. For many years that hindered global adoption of more secure networking technologies both within the United States and abroad. A free and unencumbered implementation of MIT Kerberos has been produced in Europe @@ -931,12 +929,13 @@ and in the general deployment and use of Kerberos across the spectrum of the information technology industry. - - Kerberos - interoperability - + + Kerberosinteroperability A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation - of it. For example, a 2002 report by IDG + of it. For example, a 2002 + IDG + reportNote: This link is no longer active. The same article is still + available from ITWorld.com (July 5, 2005) by states: @@ -947,10 +946,8 @@ use of the Kerberos authentication specification, not everyone agrees. - - Kerberos - unspecified fields - + + Kerberosunspecified fields Robert Short, vice president of Windows core technology at Microsoft, wrote in his direct testimony prepared before his appearance that non-Microsoft operating systems can disregard the portion of the Kerberos version 5 specification that Windows clients use for proprietary purposes and still achieve interoperability with @@ -959,11 +956,9 @@ that software developers could add their own authorization information, he said. - - DCE - - RPC - + + DCE + RPC It so happens that Microsoft Windows clients depend on and expect the contents of the unspecified fields in the Kerberos 5 communications data stream for their Windows interoperability, particularly when Samba is expected to emulate a Windows Server 200x domain controller. But the interoperability @@ -974,7 +969,8 @@ - Microsoft makes the following comment in a reference in a + Microsoft makes the following comment in a reference in a + technet article: diff --git a/docs/Samba3-ByExample/SBE-MakingHappyUsers.xml b/docs/Samba3-ByExample/SBE-MakingHappyUsers.xml index ba708668dd..9a95b8b44a 100644 --- a/docs/Samba3-ByExample/SBE-MakingHappyUsers.xml +++ b/docs/Samba3-ByExample/SBE-MakingHappyUsers.xml @@ -51,6 +51,9 @@ clients is conservative and if followed will minimize problems &smbmdash; but it + PDC + BDC + clients per DC If the domain controller provides only network logon services and all file and print activity is handled by domain member servers, one domain controller per 150 clients on a single network segment may suffice. In any @@ -58,8 +61,11 @@ clients is conservative and if followed will minimize problems &smbmdash; but it per network segment. It is better to have at least one BDC on the network segment that has a PDC. If the domain controller is also used as a file and print server, the number of clients it can service reliably is reduced, - and a common rule is not to exceed 30 machines (Windows workstations plus - domain member servers) per domain controller. + and generally for low powered hardware should not exceed 30 machines (Windows + workstations plus domain member servers) per domain controller. Many sites are + able to operate with more clients per domain controller, the number of clients + that can be supported is limited by the CPU speed, memory and the workload on + the Samba server as well as network bandwidth utilization. -- cgit