S 2.437 Planning the use of a Samba server

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Head of IT

The wide range of applications of Samba make extensive advance planning necessary in order to ensure a controlled and secure introduction of Samba and to ensure secure operation as a consequence. It must be guaranteed in this regard that the security policies specified for IT systems (see in particular S 2.316 Defining a security policy for a general server) are followed to ensure the implementation complies with the policies. Depending on the operational scenario, it is necessary to define the scenario in which Samba will be used, which functions it will fulfil, and which additional software may need to be installed (for example OpenLDAP).

1. Planning the scenario

In order to understand the different tasks and functions Samba can be used for, it helps to review the different scenarios in which a computer can be used in a Windows network:

• Stand-alone computer:
  
  A stand-alone computer can be a single workstation computer or a server that does not belong to any domain. Such a computer administrates its own user database and it does not export this database.
• Domain member:
  
  A domain member can be a workstation computer or a server that is a member in a domain. It obtains its user database from a domain controller.
• Domain controller:
  
  A server that exports its user database is referred to as a domain controller. In the NT4 domain model (and in Samba as well), there is a difference between the primary domain controller (PDC) and the backup domain controller (BDC). In the newer Active Directory (AD) domain model, the user information is no longer stored in the Security Account Manager (SAM), but instead in the AD directory together with a large amount of other information. An important difference is that there is no longer any differentiation between PDCs and BDCs; there are now only domain controllers. Each domain controller has write access to the AD directory, since the directory service supports the replication of several AD directories (multi-master replication). In addition, other protocols are used in an AD domain. For example, the Domain Name System (DNS) protocol and the Transmission Control Protocol (TCP)/Internet Protocol (IP) are used instead of the Network Basic Input/Output System (NetBIOS).

A Samba server can be used in the following scenarios. It must be noted that there are several different ways of using Samba in one and the same scenario:

• as a member of an NT4 domain (domain member)
• as a member of an AD domain (domain member)
• as the PDC for an NT4-compatible domain (domain controller)
• as the BDC for a Samba PDC in an NT4-compatible domain (domain controller). The protocol used by an NT4 PDC to replicate the SAM database on its BDCs has not been implemented yet in Samba. For this reason, a Samba BDC can only be used together with a Samba PDC.

2. Planning its function

If Samba is used as a member of an NT4 domain or a member if an AD domain, Samba can perform the following functions:

• file server
• print server

If Samba is used as the PDC for an NT4-compatible domain or as the BDC of a Samba PDC in an NT4-compatible domain, Samba can perform the following functions:

• login server
• file server
• print server

3. Winbind

Users must provide the server with authentication information in order to use the Samba shares. One Windows account and one Unix user account must be available on the Samba server for each user. The Unix user account is needed so that Samba can allow the kernel to control access in the file system, amongst other reasons (see also S 4.332 Secure configuration of the access controls for a Samba server).

For this reason, each Windows domain user must exist in the Unix operating system with all of their group memberships. It is possible theoretically to manage all domain users manually in Unix. However, Winbind should be used instead of this approach.

Winbind can dynamically create appropriate Unix users and groups for the Windows users and groups if they do not yet exist in Unix. In addition, using Winbind in connection with Samba, it is possible to reduce the load placed on the domain controller in the information system, and therefore reduce the load on the network. A detailed description of Winbind can be found in safeguard S 4.333 Secure configuration of Winbind under Samba.

When planning the use of a Samba server, it must be taken into consideration in terms of Winbind that the ID mapping backend "ads" can only be used when Samba is operated in the ADS security mode (see S 4.328 Secure basic configuration of a Samba server).

Review questions:

• Were the scenarios in which Samba will be used and its function in each scenario planned in detail?
• If it is necessary to use Winbind, was its use planned accordingly?