[wpkg-users] Using BITS to transfer files?

Malte Starostik malte at malte.homeip.net
Wed Jan 5 17:05:46 CET 2011


Am Sonntag, 2. Januar 2011, 23:39:52 schrieb Marco Gaiarin:
> Mandi! Malte Starostik
>   In chel di` si favelave...
> 
> > I can't confirm this.  I'm running WPKG off a samba server and the
> > clients access the share with machine credentials just fine.  I've
> > granted read access to the "Domain Computers" group and all is well.
> > The share that the clients write their logfile to is writable by "Domain
> > Computers" and has the sticky bit set a client can only mess with the log
> > file(s) it created.
> 
> Really, really, REALLY interested on that!!!
> 
> Can you sand some more info? Samba version? Server and cient
> configuration?
> 
> I've tried some weeks ago on debian lenny (samba 3.2.X) and i was not
> able to make it work...

The server is currently running Samba 3.5.6 on Gentoo Linux, but it was 
working with 3.2.x before as well.  The user/group mapping is handled by 
winbind.  The basic configuration is like this:

[global]
    workgroup = DOMAIN
    security = ads
    realm = DOMAIN.TLD

    idmap backend     = tdb
    idmap uid         = 100000 - 999999
    idmap gid         = 100000 - 999999

    idmap config DOMAIN : backend    = rid
    idmap config DOMAIN : base_rid   = 0
    idmap config DOMAIN : range      = 1000000 - 9999999

    winbind use default domain = yes

[wpkg]
    path = /srv/wpkg
    read only = yes

Please note that the idmap configuration syntax has changed from Samba 3.2. to 
3.4 (or 3.3?), so the aboe is not compatible with 3.2.

These are the permissions of the WPKG share:
$ getfacl /srv/wpkg
# file: /srv/wpkg/
# owner: root
# group: root
user::rwx
user:apache:rwx
group::r-x
group:domain\040admins:r-x
group:domain\040computers:r-x
group:domain\040controllers:r-x
mask::rwx
other::---

There should be no need for POSIX ACLs, if the share is owned by the group 
"domain computers" and group readable, it should work as well - not being 
world readable prevents users from copying software off the share or dive into 
configurations they maybe shouldn't see...

The clients are running Windows XP Pro and are joined to the domain.  WPKG 
Client is configured to authenticate as "SYSTEM" - this enables machine 
authentication.

There is one requirement that might get in the way: machine authentication 
requires kerberos, so you need an AD domain, either with a Windows 2000+ DC or 
Samba 4.  I haven't tried the latter yet, but I certainly will some day.  A 
Windows NT (resp. Samba 3) domain will not do.

Cheers,
Malte



More information about the wpkg-users mailing list