Hello there folks, I have been using the latest alpha version, I believe it is 5 , which proves to be a bit better than the previous work, but I do face some serious problems. This is my first time installing samba on a SunOS 4.1.4 and I do have some concern about samba works. Assuming the existance of 2 Unix systems that are exporting filesystems between them, and 1 PC that requests home dirs from one of the systems, samba allows mounting of any home directory even if it is not on the server that the smbd daemon is running from. For example: My Home dir is on server A which runs the smbd daemon as well, while a user B is having his home directory on Server C. Server A, exports the home dirs of C as well. A & C are both Unix machines. If I go onto my PC which is called D, I can request the following network map drive: //A/spiros which is a legal operation for my home. if I do a //A/B i am again allowed to mount User B's home dir eventhough I do not explicitly state the transition of C->A->PC. Furthermore in this release, the following flags are not working as stated: wide links = No ( you have called it an Service specific attribute, while it only gets read by the program if placed on the global section ) and it is mounting the link point but does not follow it... Is there a reason to mount if you won't follow the link? invalid users = root, sys, daemon, anonymous, sync, nobody, guest but yet I can do the following and mount with no problem: //A/root Also, invalid users is a (S) feature and not global according to the manual, but both services have to be placed on the global section in order to be read by the daemon. testparm executable program shows me that fact as soon as I place the services in [Global]. Please let me know if you can help, Spiros B.
On Tue, 12 Aug 1997, Spiros B. wrote:> Assuming the existance of 2 Unix systems that are exporting filesystems between > them, and 1 PC that requests home dirs from one of the systems, samba allows > mounting of any home directory even if it is not on the server that the smbd > daemon is running from. > > For example: My Home dir is on server A which runs the smbd daemon as well, > while a user B is having his home directory on Server C. > > Server A, exports the home dirs of C as well. A & C are both Unix machines. > > If I go onto my PC which is called D, I can request the following network map > drive: > > //A/spiros which is a legal operation for my home. > if I do a //A/B i am again allowed to mount User B's home dir eventhough I do > not explicitly state the transition of C->A->PC.this is a little confusing, however i think i follow you. the access that you are seeing, namely, C->A->PC is correct. your server A is exporting a directory on C. therefore, the PC, when connecting to A, will cause A to contact C. there are two ways round this: 1) upgrade samba to "DFS-aware"; upgrade your clients to "DFS-aware". this will involve some code writing in samba. 2) use the (new) automap features (that i don't fully understand) which will allow you to mount the user's home directory from the NIS auto.home map. this specifies the host as well as the directory. you will need to be running a samba server on _every_ host referred to in the auto.home map. i suspect that there is more work to do in this area.> Furthermore in this release, the following flags are not working as stated: > > wide links = No ( you have called it an Service specific attribute, while it > only gets read by the program if placed on the global section ) and it is > mounting the link point but does not follow it... Is there a reason to mount if > you won't follow the link?don't know about this one.> invalid users = root, sys, daemon, anonymous, sync, nobody, guest > but yet I can do the following and mount with no problem: > > //A/rootthat depends on whether you have allowed guest access or not (which, amongst other things, is a compilation option). you will probably find that "invalid users", with the right kind of guest access compiled in, will be mapped to the guest account. set "guest ok = no" in each share that you do not wish to allow guest access. and check the guest compilation options.> Also, invalid users is a (S) feature and not global according to the manual, but > both services have to be placed on the global section in order to be read by the > daemon. testparm executable program shows me that fact as soon as I place the > services in [Global].thank you for pointing this out. regards, luke
On Tue, 12 Aug 1997, Spiros B. wrote:> Also, invalid users is a (S) feature and not global according to the manual, but > both services have to be placed on the global section in order to be read by the > daemon. testparm executable program shows me that fact as soon as I place the > services in [Global].just had a closer look at this. grep for lp_invalid_users() in the source. you will find that "invalid users" comes up as a FN_LOCAL_STRING(), and that it takes a SNUM() - a service - as a parameter. if you place service parameters in the [global] section, then they become *defaults* for any services that you create, over-riding the compile-time defaults for any services that you create. [note to djf - this answers your question that you asked a few weeks ago, while writing your win32 smb.conf generator]. luke
> > this is a little confusing, however i think i follow you. the access > that you are seeing, namely, C->A->PC is correct. your server A is > exporting a directory on C. therefore, the PC, when connecting to A, > will cause A to contact C. > > there are two ways round this: > > 1) upgrade samba to "DFS-aware"; upgrade your clients to "DFS-aware". > this will involve some code writing in samba. > > 2) use the (new) automap features (that i don't fully understand) which > will allow you to mount the user's home directory from the NIS auto.home > map. this specifies the host as well as the directory. you will need to > be running a samba server on _every_ host referred to in the auto.home > map. i suspect that there is more work to do in this area. >Thank you very much for replying to my post Luke. I am already using the auto.home NIS map in all of our systems and I have used the nis homedir = Yes flag as well. What I do not understand is why would we have to use samba on _every_ host in the automounter entries. Shouldn't samba deny access to untrusted hosts? Suppose the following : 3 Solaris machines... 1,2 & 3 If 1 is running an automounter , then 2 can mount from 1 no prob as long as it is allowed to export the filesystem. Now, if 3 wants to mount that same filesystem that 2 is mounting from 1, but being served by the 2 machine, the cross mount will not work. So, shouldn't samba by default not mount a filesystem that is not explicitly exported as a local filesystem on a machine the server is running on?> > Furthermore in this release, the following flags are not working as stated: > > > > wide links = No ( you have called it an Service specific attribute, while it > > only gets read by the program if placed on the global section ) and it is > > mounting the link point but does not follow it... Is there a reason to mountif> > you won't follow the link? > > don't know about this one. > > > invalid users = root, sys, daemon, anonymous, sync, nobody, guest > > but yet I can do the following and mount with no problem: > > > > //A/root > > that depends on whether you have allowed guest access or not (which, > amongst other things, is a compilation option). > > you will probably find that "invalid users", with the right kind of guest > access compiled in, will be mapped to the guest account. set "guest ok > = no" in each share that you do not wish to allow guest access. and > check the guest compilation options. >I set guest ok = no , and I can still mount \\A\root . As far as compilation is concerned, GUESTACCOUNT = nobody like default on the Makefile. One more thing... In this distribution, people with the acc compiler will experience some internal compiler errors; therefore, not being able to compile...An easy and necessary workaround is to disable FLAGS1 in the Makefile or any other optimization flag they may be using.... ( Found out the hard way ).> > Also, invalid users is a (S) feature and not global according to the manual,but> > both services have to be placed on the global section in order to be read bythe> > daemon. testparm executable program shows me that fact as soon as I placethe> > services in [Global]. >Thank you for this tip Luke, Regards, Spiros