Your surmises are correct, in my experience. Windows PDC is, of course, the most complete solution, although you then have the headaches of maintaining a Win 2k server plus the huge headaches of working out what client access licenses you'll need for it. Samba 3 is still pretty much alpha/beta. Much as I'm keen to move to it myself, our environment here needs fileshares as an absolutely critical service so until our architecture changes I just can't risk it. I expect that you are in the same situation really. There is one more alternative. The smbd daemon seems to respect ext2 privileges so you can use UNIX style groups for your users to implement privileges. The Windows clients don't handle this very gracefully, from memory it makes them think that there's a problem writing to the file (when they in fact don't have privilege). With modern kernels the ext2/ext3 and reiserfs file systems can have full ACLs as I understand it (untested) so you should be able to implement anything that you could implement on WinNT. The NT users will, of course, be slightly confused as to what's going on so you may need to educate them with a brief email or document. Carl Peto

From: timo <timo.raty@allgon.com> To: suse-security@suse.com Subject: [suse-security] NT group defs from Samba? Date: Mon, 22 Dec 2003 09:21:58 +0200

Newest version of samba for SuSE 8.1 seems to be based on 2.2 series and there exists no build for 3.0.0 or 3.0.1?

The problem is that I need to install a windows application that requires about 10 groups from PDC - and the PDC is Samba 2.2.x on Linux. Samba 2.2.x series does not seem to support the "domain group map" so how do I provide these groups from Linux?

What choices do I have and what is the suggested way of doing this? I think options include at least: - changing PDC to windowsNT - obtaining prebuild 3.0.1 samba for SuSE 8.1 - building and installing from 3.0.1 sources - any others/suggestions?

So how should I do this? Installing the windows software with only "users" and "administrators" groups breaks its security - and likely the rest of the system security after that.

regards, timo

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

_________________________________________________________________ Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband