Andrew Bartlett wrote:
I'm tracking it, but is amazing...On Thu, Oct 31, 2002 at 11:33:15AM +0100, Ignacio Coupeau wrote:We have several samba printservers and fileservers with "security=server" validating against several PDC with ldap (samba 2.2.6).
I found a lot of ldap request like:
(uid=SAMBATESTPSERVER04)
beating the ldap servers: one before *each* validation in every print job or share session.
I found this is related with a security issue as Jeremy says in the
server_validate() function.
To avoid this I tried to use security=domain because server_validate() is called by check_server_security(), but our servers joined to the domain-asigned likes very much ask to the neighborn PDC as "security=server" than their domain-asigned-server (perhaps the subneting, or so... is a big and complex network).
The question is if I can skip the code around "if(!tested_password_server) {"
to avoid the calls to ldap and if it is safe.
We are using only samba servers.
You could, but you really don't want to. Security=server is really nasty. Fix whatever is causing Samba to pick the wrong DC for secruity=domain. You can still specify the server to use.
for example
../bin/smbpasswd -r ENIGMA -j CTI-SMB-2
joins the pserver01 to ENIGMA perfectly.
pserver01 has "security server=enigma", but resolve in every PDC (of course the ldap base is te same), like "security server=*" but in server mode (for example in the PDC3 or PDC1) instead domain mode in ENIGMA...
it looks like if a broadcast is performed and the winner is the nearest PDC because the trusted pdc (ENIGMA) is in other subnet... amazing!
Ignacio
--
____________________________________________________
Ignacio Coupeau, Ph.D. e-mail: [EMAIL PROTECTED]
CTI, Director fax: 948 425619
University of Navarra voice: 948 425600
Pamplona, SPAIN http://www.unav.es/cti/