This falls under the 'getting clearcase to work with samba' category. Does anybody know if the clearcase albd server actually uses samba to access files (or anything else) on the unix side? I am having 'discussions' with rational (the clearcase people). The nt user running clearcase to access some unix-side views connects to the unix side using a set of credentials that have access to the user's unix-side files. In addition to the clearcase user, there is also the clearcase 'albd' service that spawns off a number of service processes. Rational tech support asserts that (some of) these processes need to access the unix-side files using credentials that give them the access rights of the clearcase administrative account. (This account had different, and presumably broader rights than does any specific user.) This would mean that the nt host was connecting to the unix host with two sets of credentials, which smb supposedly does not permit. Does anybody know what gives here? What rational is saying seems to me to contradict what samba permits.
Hi Frank, One of my favorite topics! The clearcase_albd daemon (errr service) actually n eeds to do a netlogon at some point to create cleartext for an element if it does not exist. Thus the user that clearcase_albd runs as needs to accesss the cleartext and source pools via samba as an authenticated user. Recently there were a number of posts about samba & clearcase on the clearcase users mailing list by David Boyce that documented this. Note that it should not cause any problems, I actually am using a samba prealpha 2.1.0 domain controller with ClearCase 3.2 and if I just set the clear case_albd to use a local account and map that account to vobadm for example on the samba side everything works fine. For some reason CC does not like a samba domain clearcase_albd account but it doesn't really affect us. regards, Greg --------------------------------------------------------------------- Greg Dickie Just A Guy* *from discreet (the logic is gone) Montreal (514) 954-7171 greg@discreet.com
Hi Frank, The restriction to only connect as one user to a spesific machine (SMB server) is a _CLIENT_ restriction. This can be proven in an NT only (and I assume with SAMBA as well, sorry I don't have a samba server to test against :-( ) scenario. Steps: ------ - Open a command promp - net use \\SERVERNETBIOSNAME\share /USER:DOMAIN\userA - Enter userA password - net use \\server.ip.address\share /USER:DOMAIN\userB - Enter userB password You are now connected to the same SMB server as two different users. The _CLIENT_ thinks it is two different machines because you referred to the same machine using two different names. Not that on Win9x this is not possible, as Win9x will only ever supply the username that was used to "log in" to Win9x Hope this helps Johan>--------------- >This falls under the 'getting clearcase to work with samba' >category. > >Does anybody know if the clearcase albd server actually uses >samba to access files (or anything else) on the unix side? > >I am having 'discussions' with rational (the clearcase people). > >The nt user running clearcase to access some unix-side views >connects to the unix side using a set of credentials that have >access to the user's unix-side files. > >In addition to the clearcase user, there is also the clearcase >'albd' service that spawns off a number of service processes. >Rational tech support asserts that (some of) these processes >need to access the unix-side files using credentials that give >them the access rights of the clearcase administrative account. >(This account had different, and presumably broader rights >than does any specific user.) > >This would mean that the nt host was connecting to the unix >host with two sets of credentials, which smb supposedly >does not permit. > >Does anybody know what gives here? What rational is saying >seems to me to contradict what samba permits. >
FYI: I am on the road giving Samba talks at the moment, I'll be able to address this more fully when I get back on Friday. "Frank R. Brown" <list.Frank@MailAndNews.com> wrote :>>From David Boyce's posting of some info samba info he got > from rational:>> >|Being a prisoner of the SMB protocol and thus Microsoft's short-sighted >> >|PC-think, Samba defines "client" not as a user or a user/system pair but >> >|as a PC. I.e. it forks just one child process to handle all communications >> >|with each NT _machine_. >> >> This is the implementation issue. (It is not forced by SMB protocol which >> distinguishes the session by the user's ID.) TAS forks a process for each >> user/system pair. Although one TCP connection (with NetBT) is used between >> the client PC and TAS server (thus multiple users are sharing the same >> transport), TAS has the de/multiplexor for the TCP connection. (TAS does >> the same for NetBEUI.) >> It's up to Samba to implement such mechanism, which will be needed for NT >> Terminal Server and Win2K's Terminal Service. >> >> --- Seiichi >> + Seiichi Tatsukawa + >> + Rational Software, Lexington, MA +This is true that it is an implementation issue. However it is incorrect that Samba is a prisoner of "Microsoft's short-sighted PC-think", as it is actually by design.> Okay... I take this to mean (in the 'credentials' language I've been > using) that 1) *SMB* permits multiple connections with different > credentials between the same two machines; 2) some SMB > servers, in particular TAS, support this; and 3) samba doesn't.3). Is incorrect, Samba does support this. I implemented the multiple user session support in Samba, and it is designed to keep it within one process. smbd switches userid on each *different* vuid incoming and so can easily support multiple users multiplexed into one smbd (I implemented this to support logging from an NT service running under a different user context, which is the most common case of this). Now this is very inefficient for products such as terminal server etc., but these products are quite rare. However, Seiichi Tatsukawa is incorrect when he states that "which will be needed for NT Terminal Server and Win2K's Terminal Service". If you take a look at the .reg file called docs/WindowsTerminalServer.reg that shipped with the Samba 2.0.6 source tree, you will find it modifies a registry entry to cause Windows Terminal server to create *new* SMB connections (and hence new smbd servers) for each user connection. There are many people running happily on WinTermServ with this setting, which was why it was included in the 2.0.6 release. Follow up if you still have questions, and if someone could forward this to Seiichi Tatsukawa at Rational I'd appreciate it (his email address was not listed in the message). Cheers, Jeremy Allison, Samba Team.
Frank, I read your last post regarding Clearcase and Samba Unfortunately I have NO idea what Clearcase is, but the following scenario might help to explain as well. As far as I know the restriction on only connecting to a SMB server as one client is a NT Explorer (The thing that puts your START button on your screen) restriction. You have the following: 1) A NT Server \\EXCHANGESERVER 2) MS Exchange is installed on \\EXCHANGESERVER 3) MS Exchange has the "CCMail connector" installed. 4) MS Exchange uses a "service" account. "DOMAIN\serviceaccount" 5) The "CCMail Postoffice" that MS Exchange connects to is a share on ANOTHER NT Server \\DISKSERVER\ccmailpo 6) In the "Exchange setup" you specify a UNC path that the "CCMail connector" uses to access the "CCMail POstoffice" 7) Exchange running in the _background_ will use the "CCMail Post Office share" as "DOMAIN\serviceaccount" 8) I now log into \\EXCHANGESERVER as "DOMAIN\johan" 9) I can map a drive to \\DISKSERVER\anothershare as myself without problems. Does make any sense? If not mail me and I will try to explain more. I think the key is that the "Exchange service" and the USER (me :-) ) is both logged into NT Server separately and each can make their own connections. The "Exchange service" has a login without a "Terminal session" (read keyboard and monitor). The user session has a "Terminal session" (with keyboard and monitor) (or better STDIO). Does clearcase have an "NT Service" that runs in the background? IF yes, you can confirm who Clearcase will connect as (the "Clearcase service account") by doing Start-->Settings-->Control Panel-->Services-->"Clearcase service"-->Startup A user that then logs in should be able to make connections as whoever he pleases, UNLESS the "Clearcase service" make the connection "on behalf of" the user. In this case the connection will happen as the "Clearcase service account" Anyway I am now rambling about a product I know nothing about. Mail me if I can help Johan