Samba Authentication problem -- one machine only!!!

Rick Stevens rstevens at vitalstream.com
Fri Jul 22 00:07:10 UTC 2005 

Mike McCarty wrote:
> Phil Schaffner wrote:
> 
>> On Thu, 2005-07-21 at 17:05 -0400, Tim Holmes wrote:
>> ...
>>
>>> Hi phil -- the firewalls are shut off on all the machines -- we are
>>> behind a hardware firewall and do not need the internal ones -- as a
>>> result -- they do more harm than good
>>
>>
>>
>> Well, that's not the problem, but a bit of unsolicited/OT advice.  Good
>> security is built in layers.  I'm behind a pretty robust center-level
>> firewall also, but learned the hard way that it is not impervious.
>> We've had several cases of bad guys getting through the main firewall
>> and running rampant on the machines inside (mostly those foolish people
>> that were not up-to-date on security patches, and/or Windoze boxes).  I
>> run local firewalls on each machine I'm responsible for.  I like
>> firestarter for the individual-machine firewalls.  Makes it pretty
>> painless.
>>
>> http://www.fs-security.com/
>>
>> Phil
> 
> 
> Well, experiences vary. One thing to remember is that every
> unneeded line of code is another place for a defect to hide.
> One of the things I continually had to hammer into the
> engineers under my lead is "If a feature is not in the
> requirements spec, then it shouldn't be in the code!"
> 
> Installing one or two programs for security may be prudent.
> Installing 50 programs for security is asking for troubles.
> 
> Somewhere in between is where most people would settle.
> 
> Taking one or two drugs may be prudent.
> Taking 50 is asking for drug interactions and troubles.
> 
> Mike

Well, geeze.  The authentication issue is something we've dealt with.
As I indicated, the problems are traceable to DNS not working (e.g.
the DNS service on the DCs don't have reverse DNS entries for the
fileserver), date/time not being synchronized (since the kerberos
tickets are date/time based), or winbind's cache not synchronizing.

The last one is a bit of a problem.  We solved it by having a single
winbind machine copy its cache file to the client machines every time
it changed (or every 30 seconds, whichever came first).  If you're
curious, the file is /var/cache/samba/winbindd_idmap.tdb
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-      Do you know how to save five drowning lawyers?  No?  GOOD!    -
----------------------------------------------------------------------

More information about the fedora-list mailing list