Re: Samba Authentication problem -- one machine only!!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Mike McCarty wrote:

Phil Schaffner wrote:


On Thu, 2005-07-21 at 17:05 -0400, Tim Holmes wrote:
...


Hi phil -- the firewalls are shut off on all the machines -- we are
behind a hardware firewall and do not need the internal ones -- as a
result -- they do more harm than good




Well, that's not the problem, but a bit of unsolicited/OT advice.  Good
security is built in layers.  I'm behind a pretty robust center-level
firewall also, but learned the hard way that it is not impervious.
We've had several cases of bad guys getting through the main firewall
and running rampant on the machines inside (mostly those foolish people
that were not up-to-date on security patches, and/or Windoze boxes).  I
run local firewalls on each machine I'm responsible for.  I like
firestarter for the individual-machine firewalls.  Makes it pretty
painless.

http://www.fs-security.com/

Phil



Well, experiences vary. One thing to remember is that every
unneeded line of code is another place for a defect to hide.
One of the things I continually had to hammer into the
engineers under my lead is "If a feature is not in the
requirements spec, then it shouldn't be in the code!"

Installing one or two programs for security may be prudent.
Installing 50 programs for security is asking for troubles.

Somewhere in between is where most people would settle.

Taking one or two drugs may be prudent.
Taking 50 is asking for drug interactions and troubles.

Mike


Well, geeze.  The authentication issue is something we've dealt with.
As I indicated, the problems are traceable to DNS not working (e.g.
the DNS service on the DCs don't have reverse DNS entries for the
fileserver), date/time not being synchronized (since the kerberos
tickets are date/time based), or winbind's cache not synchronizing.

The last one is a bit of a problem.  We solved it by having a single
winbind machine copy its cache file to the client machines every time
it changed (or every 30 seconds, whichever came first).  If you're
curious, the file is /var/cache/samba/winbindd_idmap.tdb
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens@xxxxxxxxxxxxxxx -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-      Do you know how to save five drowning lawyers?  No?  GOOD!    -
----------------------------------------------------------------------
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux