Samba Developer Interviewed on National TV

← Back to Stories (view on slashdot.org)

Samba Developer Interviewed on National TV

Posted by ryuzaki0 on Saturday December 4, 1999 @10:35AM from the Media-and-Linux dept.

Samba developer and LinuxCare employee, Andrew Tridgell, was interviewed on Australian ABC's influential 7:30 Report national current affairs program. "All we need to do is fire up a 98 box and do a domain log-on," Tridge said. Thanks to Paul "Rusty" Russell for finding this.

1 of 66 comments (clear)

Min score:

Reason:

Sort:

Samba's Enterprise-Readiness by MenTaLguY · 1999-12-04 06:36 · Score: 4

As someone who is responsible for supporting Samba deployments in a Fortune 500 company, I feel somewhat qualified to speak to the issue of "enterprise readiness".

Samba seems to have a real problem with encrypted passwords. They say that they HAVE to be used in some configs and CAN'T be used in others.

This is an unfortunate consequence of the laws of mathematics. Both NT and Unix use irreversible hash algorithms to "encrypt" passwords, but they use different ones. There is simply no way to "convert" an NT password hash into a UNIX password hash, or vice-versa. I'm sorry, but not even Microsoft can produce code that can bypass the laws of mathematics (although some days non-deterministic behavior has you wondering...)

In practice, this is not a serious limitation. At work, the Samba servers are members of a resource domain and authenticate against NT PDCs. It's also possible to replace them with Samba PDCs -- if you don't insist on using UNIX-hashed passwords for Samba authentication, encrypted passwords will work fine. Samba's emerging LDAP functionality also raises the possiblity of directly sharing account databases between the NT and Unix sides.

If you insist on using a Unix-style password database for Samba authentication, then you will not be able to use encrypted passwords on the wire. That is, however, the only limitation. All other configurations can use encrypted passwords.

The only circumstances under which you cannot use plaintext passwords are when dealing with Win98 or NT4SP3+, and that's Microsoft's doing, as they disabled negotation of plaintext passwords.

Why is it MS products can connect to anything but Samba has problems.

For values of "anything" that equal MS products?

Samba also has real problems with oplocks.

The only real limitation on oplocks in Samba deals with situations where you can have both Unix and NT users accessing the data simultaneously, if the particular Unix flavor does not itself support oplocks. Under those circumstances, you'll need to turn oplocks off to avoid potential data corruption.

Note that this is due to an architectural limitation of certain Unix flavors, not of Samba itself. On Unices that support oplocks (i.e. IRIX), oplocks are safe because Samba uses the OS's native oplock facilities.

They need to fix it before it is enterprise ready.

I'd say it's enterprise-ready now, for pretty much everything but PDC/BDC functionality. Stop with the FUD.

--

DNA just wants to be free...