samba: force LINUX NMB to ALWAYS obtain master browser status

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by gaius.petroni » Sat, 16 Mar 2002 11:47:58



thanks for the responses.  each one of them is telling me that i don't
have a technical solution to this problem.  does anyone disagree that
there is *no* technical solution to this problem?  (i am expanding the
cross-post to another group to see of there might be someone who has
found a *technical* solution to this problem)


> The master browser is not connected to login in domains. master browsers are
> not used if you use DNS instead of wins.

They need WINS in order for NetBIOS to traverse subnets in their
"Network Neighborhood" window.

Quote:> There is also no way to stop other systems to steal the master browser from a
> windows box, so where is the point?

Is that a known fact?
Would a Windoze 2000 server also lose the domain master status to his
laptop?

Quote:> > BTW i added WINS to the dhcpd.conf by adding "netbios-name-servers
> > [addr of samba server" in the hopes that it would override any other
> > rogue browser server trying to answer NETBIOS requests from the
> > windoze machines.

> It will only be used on those clients which have no wins browser set.
> But this can easyly be enforced. Make shure it is company policy to use wins
> and do not support PCs which do not use wins.

i.e. WINS can ensure that NetBIOS name resolution passes through my
SAMBA server.  However, how does this ensure that the SAMBA server
maintains its master browser status and is the server of choice for
logins?  in my understanding, a WINS server is not necessarily a
master browser.

Quote:> You problem has no technical solution.

i need a second opinion, doc.


> regardless of the OSlevel and preferred attributes and want to
> become local master browser, which seems to annoy samba (2.2.3a now)
> so that it refuses to become domain master after a restart of the nmbd
> service. I cannot do anything else but unplug the Wfwg from the
> network for a while ....

you say "a restart of the nmbd."  i have a cron job that restarts the
smbd and nmbd every 24 hours.  if i discontinue this practice, will a
machine booting up to oslevel = 65 still be able to abduct the master
browser service?

Quote:> >BTW i added WINS to the dhcpd.conf by adding "netbios-name-servers
> >[addr of samba server" in the hopes that it would override any other
> >rogue browser server trying to answer NETBIOS requests from the
> >windoze machines.

> Yes, but this only works if he does use the dhcp in his local
> settings. Otherwise don't give him a IP :)

He is a manager and has the authority to do as he pleases without
advising us.  He feels he needs to "test" us.  He has full support of
management, who are not technical.


> > the guy is a network engineer who deliberately did this to show that
> > Linux Samba cannot handle this kind of situation and maintain its
> > master browser status (says he).  he is also a manager.
> Not really: This is not a "Linux Samba" problem. It's a Microsoft problem
> that Samba can't fix.

Therefore, in *their* view [i.e. Management] it is a LINUX/UNIX fault.

Quote:> It is the client machines that select the master
> browser, *NOT* the servers themselves.

But the question was, how does a legitimate NMB master (the LINUX
server) prevent the * of *master* login server for the NMB
Domain?

This question might be similar to asking how a DNS server prevents a
rogue machine from abducting the DNS queries.

Am i close to an answer here?  is there a way to hardcode a *node
number* or some other *unique identifier* into the NMB requests to
prevent this?

i am thinking of something along the lines of an ether address or a
logical network node address.  Can we do this in NetBIOS (i am
assuming NMB == NetBIOS)

Quote:> He should try that on a Micro$not run network and watch the primary domain
> controller explode. Also, if he did this without warning, he should try it
> from the unemployment line: it's like throwing a cherry bomb in the company
> toilet and saying "See? We're at risk from dumb kids!"

i agree, but:
they are the leaders.
we are the engineers.
we are the slaves of the ignorant.
i must begin with the premise that they provide.
i cannot alter the fantasy world that they have created for themselves
in the workplace.

Quote:

> > If there is no way to prevent another machine from using oslevel = 65
> > and obtaining the master status, then this could be the end of the
> > LINUX machine handling the 70 GIG of data as our fileserver.

> As I said, there is apparently no defense for Micro$not servers, either.

> Consider firing this idiot.

it's actually the other way around: he is a good friend of the CEO and
a newcomer to the company and is now the CIO.  Me and the other UNIX
guy are preparing our resumes.  We refuse to convert any servers to
Windows and if they are converted we cannot be responsible for them
since we do not understand Windows 2000 "secrets."  (Who does?)

off-topic: i have a good friend who was an AIX sysadmin at Prudential
and i heard that they fired their UNIX staff and replaced the systems
with Windows 2000.  (disclaimer: i do not attest to the true or false
nature of this rumor)

how is it that technical and security "officers" (i as yet do not know
the qualifications of a so-called CIO nor what he actually knows or
does not know nor what his role should be) prefer proprietary systems
which they *cannot* know how they actually work over open source
systems?  these are probably the same people who want encryption keys
for the entire world stored in escrow. [end of off-topic paroxysm]

 
 
 

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by Nico Kadel-Garci » Sat, 16 Mar 2002 14:31:10


"gaius.petronius" <r...@linuxmail.org> wrote in message

news:188cd7b2.0203141847.70e8e1c9@posting.google.com...
> thanks for the responses.  each one of them is telling me that i don't
> have a technical solution to this problem.  does anyone disagree that
> there is *no* technical solution to this problem?  (i am expanding the
> cross-post to another group to see of there might be someone who has
> found a *technical* solution to this problem)

> Bernd Eckenfels <ecki-news2002...@lina.inka.de> wrote in message

<news:a6psmr$f0s$3@sapa.inka.de>...

> > The master browser is not connected to login in domains. master browsers
are
> > not used if you use DNS instead of wins.

> They need WINS in order for NetBIOS to traverse subnets in their
> "Network Neighborhood" window.

> > There is also no way to stop other systems to steal the master browser
from a
> > windows box, so where is the point?

> Is that a known fact?
> Would a Windoze 2000 server also lose the domain master status to his
> laptop?

That's correct, unless the *clients* are doing something extra special these
days. The samba documentation is quite clear on the implications of "os
level", take a look at it.

> > > BTW i added WINS to the dhcpd.conf by adding "netbios-name-servers
> > > [addr of samba server" in the hopes that it would override any other
> > > rogue browser server trying to answer NETBIOS requests from the
> > > windoze machines.

> > It will only be used on those clients which have no wins browser set.
> > But this can easyly be enforced. Make shure it is company policy to use
wins
> > and do not support PCs which do not use wins.

> i.e. WINS can ensure that NetBIOS name resolution passes through my
> SAMBA server.  However, how does this ensure that the SAMBA server
> maintains its master browser status and is the server of choice for
> logins?  in my understanding, a WINS server is not necessarily a
> master browser.

You are correct.

> > You problem has no technical solution.
> i need a second opinion, doc.

> Walter Mautner <wmaut...@hotmail.com> wrote in message

<news:a6pig0$gbi1t$1@ID-104681.news.dfncis.de>...

> > regardless of the OSlevel and preferred attributes and want to
> > become local master browser, which seems to annoy samba (2.2.3a now)
> > so that it refuses to become domain master after a restart of the nmbd
> > service. I cannot do anything else but unplug the Wfwg from the
> > network for a while ....

> you say "a restart of the nmbd."  i have a cron job that restarts the
> smbd and nmbd every 24 hours.  if i discontinue this practice, will a
> machine booting up to oslevel = 65 still be able to abduct the master
> browser service?

Yes. Also, if your Samba server gets heavily loaded, then other systems with
equal or even lower "os level" may still steal it.

Basically, the "os level" stuff really sucks and is a typical Micro$oft
"demoware" implementation.

> > >BTW i added WINS to the dhcpd.conf by adding "netbios-name-servers
> > >[addr of samba server" in the hopes that it would override any other
> > >rogue browser server trying to answer NETBIOS requests from the
> > >windoze machines.

> > Yes, but this only works if he does use the dhcp in his local
> > settings. Otherwise don't give him a IP :)

> He is a manager and has the authority to do as he pleases without
> advising us.  He feels he needs to "test" us.  He has full support of
> management, who are not technical.

Explain to the rest of your management that this is the equivalent of
walking up to the server and yanking out the network cord. It *will*
interfere with local services.

> "Nico Kadel-Garcia" <nka...@bellatlantic.net> wrote in message

<news:3Y1k8.11948$dn2.11852@nwrddc02.gnilink.net>...

> > > the guy is a network engineer who deliberately did this to show that
> > > Linux Samba cannot handle this kind of situation and maintain its
> > > master browser status (says he).  he is also a manager.
> > Not really: This is not a "Linux Samba" problem. It's a Microsoft
problem
> > that Samba can't fix.

> Therefore, in *their* view [i.e. Management] it is a LINUX/UNIX fault.

> > It is the client machines that select the master
> > browser, *NOT* the servers themselves.

> But the question was, how does a legitimate NMB master (the LINUX
> server) prevent the abduction of *master* login server for the NMB
> Domain?

According to Micro$oft, "Don't put up two domain controllers on one domain".
There is no defense.

> This question might be similar to asking how a DNS server prevents a
> rogue machine from abducting the DNS queries.

> Am i close to an answer here?  is there a way to hardcode a *node
> number* or some other *unique identifier* into the NMB requests to
> prevent this?

Not to the best of my knowledge. It's a client problem.

- Show quoted text -

> i am thinking of something along the lines of an ether address or a
> logical network node address.  Can we do this in NetBIOS (i am
> assuming NMB == NetBIOS)

> > He should try that on a Micro$not run network and watch the primary
domain
> > controller explode. Also, if he did this without warning, he should try
it
> > from the unemployment line: it's like throwing a cherry bomb in the
company
> > toilet and saying "See? We're at risk from dumb kids!"

> i agree, but:
> they are the leaders.
> we are the engineers.
> we are the slaves of the ignorant.
> i must begin with the premise that they provide.
> i cannot alter the fantasy world that they have created for themselves
> in the workplace.

Can you try? Can you show them the documentation and explain that this
cannot be locked down?

- Show quoted text -

> > > If there is no way to prevent another machine from using oslevel = 65
> > > and obtaining the master status, then this could be the end of the
> > > LINUX machine handling the 70 GIG of data as our fileserver.

> > As I said, there is apparently no defense for Micro$not servers, either.

> > Consider firing this idiot.

> it's actually the other way around: he is a good friend of the CEO and
> a newcomer to the company and is now the CIO.  Me and the other UNIX
> guy are preparing our resumes.  We refuse to convert any servers to
> Windows and if they are converted we cannot be responsible for them
> since we do not understand Windows 2000 "secrets."  (Who does?)

> off-topic: i have a good friend who was an AIX sysadmin at Prudential
> and i heard that they fired their UNIX staff and replaced the systems
> with Windows 2000.  (disclaimer: i do not attest to the true or false
> nature of this rumor)

Yeah, I was just working for an MIT lab and got screwed by my *5* managers,
who never once sat down with me to discuss the hardware failures and planned
software policies, just passed it off to a grad student who said "put it in
bugzilla and hid under his desk. He "had everyone's confidence" because he
never said anything. The "Windows consultant" was modifying the system,
while the boot disk was known to be flaky, and crashing it at least once a
day by making changes we had agreed not to do until after we swapped the
disk, and doing it during the day from his day job. Did I mention that they
left the wireless network wide open "because we're an academic environment",
which allowed this backstabbing cretin to use his wireless from his day job
across the street? *I* took the blame for "not being able to maintain the
servers in the manner they expected."

If I ever catch this guy in a dark alley, expect me to leave no marks the
cops can see....

> how is it that technical and security "officers" (i as yet do not know
> the qualifications of a so-called CIO nor what he actually knows or
> does not know nor what his role should be) prefer proprietary systems
> which they *cannot* know how they actually work over open source
> systems?  these are probably the same people who want encryption keys
> for the entire world stored in escrow. [end of off-topic paroxysm]

They're used to centralized control and making *their* report filing easier.
Yes, it breaks down in the real world....

 
 
 

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by Doug Freyubrg » Sun, 17 Mar 2002 08:10:25



> each one of them is telling me that i don't
> have a technical solution to this problem.  does anyone disagree that
> there is *no* technical solution to this problem?

I disagree, but you may class my course of action as not technical.

Quote:> > There is also no way to stop other systems to steal the master
> > browser from a windows box, so where is the point?

> Is that a known fact?
> Would a Windoze 2000 server also lose the domain master status to his
> laptop?

I have seen this problem in person on NT-3 and NT-4 domains.  I can't
say on Win-2K domains because all of the ones I've used have been straight
DNS based.

Quote:> He is a manager and has the authority to do as he pleases without
> advising us.  He feels he needs to "test" us.  He has full support of
> management, who are not technical.

You have started interviewing to get out from under this doofus, I hope.

Quote:> > > the guy is a network engineer who deliberately did this to show that
> > > Linux Samba cannot handle this kind of situation and maintain its
> > > master browser status (says he).  he is also a manager.

> > Not really: This is not a "Linux Samba" problem. It's a Microsoft problem
> > that Samba can't fix.

> Therefore, in *their* view [i.e. Management] it is a LINUX/UNIX fault.

Here's where my course on action comes in.  Plug into a Win-2K LAN.  Do the
exact same thing.  Watch what happens.  Do it with this person watching.
He can test your Linux/Unix boxes, so you have a positive mandate to test
his ones.  When the Win-2K boxes have the exact same reaction.  Simply say
"Oh, it really is not a Linux/Unix problem.  It is actually a problem in
the architecture that Linux/Unix inheretted from its source architecture."
and offer to help in the clean-up.

Quote:> But the question was, how does a legitimate NMB master (the LINUX
> server) prevent the * of *master* login server for the NMB
> Domain?

By my understanding, that is not how the architecture works.  This isn't a
SAMBA issue at all, because it is (should be) common to all browsing.

Quote:> This question might be similar to asking how a DNS server prevents a
> rogue machine from abducting the DNS queries.

Rogue machines are ignored by DNS.  DNS has a worldwide root and every zone
in DNS is deligated from that root.  If you're not deligated, everyone
outside of your local LAN will ignore you.  The only way to subject yourself
to a rouge DNS server is to put its IP number in your /etc/resolv.conf
equivalent or to have it straddle your firewall and put its IP number in
your local DNS server's forwarders lines.

DNS does not use broadasts or priority levels or whatever, so it is not
subject to abuses using those methods.

Quote:> Am i close to an answer here?  is there a way to hardcode a *node
> number* or some other *unique identifier* into the NMB requests to
> prevent this?

I've been thinking how to program your switches with ACLs to do so but I
have not been able to come up with the Cisco IOS strings off the top of
my head.  It should be possible.

Quote:> > Consider firing this idiot.

> it's actually the other way around: he is a good friend of the CEO and
> a newcomer to the company and is now the CIO.  Me and the other UNIX
> guy are preparing our resumes.

Good.

Quote:> off-topic: i have a good friend who was an AIX sysadmin at Prudential
> and i heard that they fired their UNIX staff and replaced the systems
> with Windows 2000.  (disclaimer: i do not attest to the true or false
> nature of this rumor)

I have heard this of other companies as well.  Watch the newspapers.  At
some point they will realize what is going on and they will be desparate to
get their Unix team back.  That's when you will have leverage on salary
issues.

Quote:> how is it that technical and security "officers" (i as yet do not know
> the qualifications of a so-called CIO nor what he actually knows or
> does not know nor what his role should be) prefer proprietary systems
> which they *cannot* know how they actually work over open source
> systems?  these are probably the same people who want encryption keys
> for the entire world stored in escrow. [end of off-topic paroxysm]

You do not expect rational reasons for the irrational, do you?
 
 
 

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by Bernd Eckenfel » Sun, 17 Mar 2002 14:16:02



Quote:> This manager said to me today that if the domain controller was a
> windoze 2000 server, that there is a Microsoft implementation to
> prevent this, which UNIX/LINUX/SAMBA cannot avail of.

I guess he means that WINS and NMB Multicast is no longer used with win2k.

Greetings
Bernd

 
 
 

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by Bernd Felsch » Sun, 17 Mar 2002 17:19:12





>> > > There is also no way to stop other systems to steal the
>> > > master browser from a windows box, so where is the point?

>> > Is that a known fact?
>> > Would a Windoze 2000 server also lose the domain master status to his
>> > laptop?
>> That's correct, unless the *clients* are doing something extra
>> special these days. The samba documentation is quite clear on the
>> implications of "os level", take a look at it.
>This manager said to me today that if the domain controller was a
>windoze 2000 server, that there is a Microsoft implementation to
>prevent this, which UNIX/LINUX/SAMBA cannot avail of.
>is he bluffing?

Ignorant. See http://www.samba.org

The clients can however do as they please. If Micro$oft is insisting
that their "workstations" only talk to NT/Lose2000, then there are
things that can be done about it; once it's known what they do.

Samba is already capable of mimicing W2000 servers as far as
authentication of clients because it produces identical error
messages that the clients deliberately invoke to ensure that they're
talking to W2000 servers.

Quote:>if he's bluffing, i'll call his bluff and then this would be a good
>demonstration that he is a misinformed (or pretending).  (which
>purpose is to continue the use of UNIX systems as the servers, which
>is doing quite well from the administrative point of view).
>> > you say "a restart of the nmbd."  i have a cron job that
>> > restarts the smbd and nmbd every 24 hours.  if i discontinue
>> > this practice, will a machine booting up to oslevel = 65 still
>> > be able to abduct the master browser service?

>> Yes. Also, if your Samba server gets heavily loaded, then other
>> systems with equal or even lower "os level" may still steal it.
>is that also true of a windoze 2000 server?

It's the way the protocol works. It assumes that the server is dead
if it doesn't respond quickly enough. Just make sure that the
servere running Samba is adequately resourced. It seems to handle
client requests (quite) a bit faster tha NT anyway - on the same
hardware.

Quote:>> Explain to the rest of your management that this is the equivalent of
>> walking up to the server and yanking out the network cord. It *will*
>> interfere with local services.
>Right now there is no question about that; the question is, is this
>problem preventable if we replace the LINUX/SAMBA machine a windoze
>2000 server.

Why replace the machine? Make sure you have the latest, stable Samba
running. Review the documentation.

Quote:>> Not to the best of my knowledge. It's a client problem.
>can we detect these requests and then block the machine through
>IPTABLES?

Don't know; depends on your network.

Quote:>> > i must begin with the premise that they provide.
>> > i cannot alter the fantasy world that they have created for themselves
>> > in the workplace.

>> Can you try? Can you show them the documentation and explain that this
>> cannot be locked down?
>if i had evidence, "YES."
>Can anyone point me in the direction of digging up evidence please?  i
>am concerned that once i submit to the installation of a windoze 2000
>server in order to test this, it will be a 'fait accomplit' and the
>death knell for UNIX/LINUX systems in this corporation.

You're having a *political* problem, not a technological one.
You can't stop people putting suger in the fuel tank.

If other parties prefer the W2k server; let them pay for the
hardware upgrade and the licence costs + maintenance out of their
own pocket.
--
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ /  ASCII ribbon campaign | I'm a .signature virus!
 X   against HTML mail     | Copy me into your ~/.signature
/ \  and postings          | to help me spread!

 
 
 

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by John E. Malmber » Mon, 18 Mar 2002 02:30:36


Microsoft Primary Domain Controllers know that they can not lose a
browser election.

If one of them is on the network, then "Let the wookie win" and take
over the domain master browsing.

It usually does not matter who is the master browser, as long as there
is only one, and it does the job correctly.

If someone else claims to have one the browser election, the PDC will
start the election over again.

And your entire network will degrade while the PDC disputes any results
where it does not win and start things over again.

The Microsoft Windows clients may (or may not) be smart enough to let
the PDC win the election, even if the "os level" says otherwise, as they
may be getting other clues, so performing the same test in an all
Microsoft network may not produce as bad of results than when using SAMBA.

SAMBA does not appear to be smart enough to detect when it is in a
browser election war with a Microsoft PDC and will also continue to try
to win.

This has been discussed quite a bit in the Samba Technical forum, and
the conclusion was that it was not the Samba programs job to protect a
user from misconfiguring their network.

It also may be quite a bit of work to get SAMBA to automatically detect
and deal with this condition.

Other third pary LANMAN protocol servers licensed from Microsoft can
cause the same browsing problems on the network if they are allowed to
be come a browse master.  So this problem is not unique to SAMBA.

Determining who has the right to set the policies and protocols on the
network is a company issue, and not a technical one.

-John

Personal Opinion Only

 
 
 

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by gaius.petroni » Tue, 19 Mar 2002 11:48:54



> >  does anyone disagree that
> > there is *no* technical solution to this problem?

> I disagree, but you may class my course of action as not technical.

in this case i meant 'technical' where i can ignore the windoze
workstations and fix the problem by configuring the servers or the
switch-routers.

Apparently not since the problem lies in the design of the protocol
and the source of the conflict (workstations).

Quote:> > He is a manager and has the authority to do as he pleases without
> > advising us.  He feels he needs to "test" us.  He has full support of
> > management, who are not technical.

> You have started interviewing to get out from under this doofus, I hope.

This seems to be the best technical solution i have been offered to
the problem.

Quote:> > Therefore, in *their* view [i.e. Management] it is a LINUX/UNIX fault.

> Here's where my course on action comes in.  Plug into a Win-2K LAN.  Do the
> exact same thing.

we don't have a windoze LAN here.
i replaced all windoze servers with UNIX/LINUX when i came here.  But
those were the days before "Windows 2000", "Windows ME -HI!" and
"Windows XP"

Quote:>  Watch what happens.  Do it with this person watching.

He'll just come up with some excuse and then suggest we keep the
windoze server  running on the network.

Quote:> He can test your Linux/Unix boxes, so you have a positive mandate to test
> his ones.

what?  this is not a democratic institution.  There's a boss.  There's
his circle of cronies.  And then there's us.

Quote:>  When the Win-2K boxes have the exact same reaction.  Simply say
> "Oh, it really is not a Linux/Unix problem.  It is actually a problem in
> the architecture that Linux/Unix inheretted from its source architecture."
> and offer to help in the clean-up.

cleanup up my desk is what i'd be doing, Doug.
Thanks anyway.

Quote:> > But the question was, how does a legitimate NMB master (the LINUX
> > server) prevent the * of *master* login server for the NMB
> > Domain?

> By my understanding, that is not how the architecture works.  This isn't a
> SAMBA issue at all, because it is (should be) common to all browsing.

Yeah, i see that now.
Why did they (the good people of America) let this happen? (i mean
Microsoft, not NetBIOS.)  They put MS-DOS on the PCs, created a phony
bug with a message "Only DR. DOS can solve this problem" and the rest
is history.  (disclaimer: i do not attest to the true or false nature
of this inadvertent passage i read in a book)

Quote:> > Am i close to an answer here?  is there a way to hardcode a *node
> > number* or some other *unique identifier* into the NMB requests to
> > prevent this?

> I've been thinking how to program your switches with ACLs to do so but I
> have not been able to come up with the Cisco IOS strings off the top of
> my head.  It should be possible.

Which aspect would i be attacking (protocol number?  broadcast?)

Quote:> You do not expect rational reasons for the irrational, do you?

didn't they come up for a reason for cobol at one point?
 
 
 

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by Nico Kadel-Garci » Wed, 20 Mar 2002 00:23:01



Quote:> Yeah, i see that now.
> Why did they (the good people of America) let this happen? (i mean
> Microsoft, not NetBIOS.)  They put MS-DOS on the PCs, created a phony
> bug with a message "Only DR. DOS can solve this problem" and the rest
> is history.  (disclaimer: i do not attest to the true or false nature
> of this inadvertent passage i read in a book)

Are you referring to the Win95/DRDOS wackiness? It turns out that Win9x is
really a graphical user interface, living on top of a slightly modified
MS-DOS kernel. It also turns out that the DRDOS software is a better,
commercially available kernel. So Microsoft slightly modified Win9x to
detect the non-Micro$oft kernel, and complain about it at start-up time. It
doesn't break, it just complains. This led to a *massive* lawsuit by the
DRDOS company, which Micro$oft of course settled by tying up in the courts
until the authors of DRDOS were bled dry by legal fees. Similar to their
handling of Java, Netscape, and the real manufacturers of the stolen
"Microsoft Mouse" design.....
 
 
 

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by Lew Pitch » Wed, 20 Mar 2002 00:47:30


On Mon, 18 Mar 2002 15:23:01 GMT, "Nico Kadel-Garcia"




>> Yeah, i see that now.
>> Why did they (the good people of America) let this happen? (i mean
>> Microsoft, not NetBIOS.)  They put MS-DOS on the PCs, created a phony
>> bug with a message "Only DR. DOS can solve this problem" and the rest
>> is history.  (disclaimer: i do not attest to the true or false nature
>> of this inadvertent passage i read in a book)

>Are you referring to the Win95/DRDOS wackiness? It turns out that Win9x is
>really a graphical user interface, living on top of a slightly modified
>MS-DOS kernel. It also turns out that the DRDOS software is a better,
>commercially available kernel. So Microsoft slightly modified Win9x to
>detect the non-Micro$oft kernel, and complain about it at start-up time. It
>doesn't break, it just complains. This led to a *massive* lawsuit by the
>DRDOS company, which Micro$oft of course settled by tying up in the courts
>until the authors of DRDOS were bled dry by legal fees.

Well, not entirely true.

You left out that Caldera (of Caldera Linux) bought the rights to DRDOS
from Novell (who bought them from Digital Research), and took Microsoft to
court. Microsoft settled out-of-court for an undisclosed amount (NDA, etc.)
(If you want to read about this, take a look at
http://www.oreillynet.com/pub/a/network/2000/02/07/schulman.html )

Caldera later spun off it's DRDOS ownership to a subsidiary then called
"Caldera Thin Clients". This subsidiary is now known as "Lineo".
(See http://www.caldera.com/company/press/19990720lineo.html for a history)

Lineo sells DRDOS for embedded systems, but also licences DRDOS for free
use when run under the DOSEMU virtual x86 package (see
http://www.drdos.com/ for details)

Quote:>Similar to their
>handling of Java, Netscape, and the real manufacturers of the stolen
>"Microsoft Mouse" design.....

Lew Pitcher, Information Technology Consultant, Toronto Dominion Bank Financial Group

(Opinions expressed are my own, not my employer's.)

 
 
 

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by Doug Freyubrg » Wed, 20 Mar 2002 08:24:51



> > I've been thinking how to program your switches with ACLs to do so but I
> > have not been able to come up with the Cisco IOS strings off the top of
> > my head.  It should be possible.

> Which aspect would i be attacking (protocol number?  broadcast?)

I think they're NetBUI imbedded in UDP packets.  I suspect they are otherwise
regular SMB packets with uncommon flags set.  That's the hard part.  You would
have to look X number of characters into the packet to see if it is involved in
browsing, then Y bytes into the packet to see if is trying to spoof you, and so
on.

To get the data needed to figure out which packets to filter, you need the
protocol specs, or a snoop of the network and the source code for samba.  At
least the source code is readily available.  That's why you inclided
comp.protocols.smb in this thread from the start!  Does anyone on that group
know how to easily identify a packet involved in a browsing master election?

 
 
 

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by gaius.petroni » Fri, 22 Mar 2002 11:34:38



> > Is that a known fact?
> > Would a Windoze 2000 server also lose the domain master status to his
> > laptop?

> I have seen this problem in person on NT-3 and NT-4 domains.  I can't
> say on Win-2K domains because all of the ones I've used have been straight
> DNS based.

well, the decion has been made: switch the file server to windoze
2000.  no tests, no questions, no discussion.

Quote:

> > He is a manager and has the authority to do as he pleases without
> > advising us.  He feels he needs to "test" us.  He has full support of
> > management, who are not technical.

> You have started interviewing to get out from under this doofus, I hope.

> > > > the guy is a network engineer who deliberately did this to show that
> > > > Linux Samba cannot handle this kind of situation and maintain its
> > > > master browser status (says he).  he is also a manager.

> > > Not really: This is not a "Linux Samba" problem. It's a Microsoft problem
> > > that Samba can't fix.

> > Therefore, in *their* view [i.e. Management] it is a LINUX/UNIX fault.

> Here's where my course on action comes in.  Plug into a Win-2K LAN.  Do the
> exact same thing.  Watch what happens.  Do it with this person watching.
> He can test your Linux/Unix boxes, so you have a positive mandate to test
> his ones.  When the Win-2K boxes have the exact same reaction.

i hope you're right about this
this manager claims that the SAMBA domain login is not a *true* NT/W2K
"domain" login.  he claims it is a "Windows Workgroup" peer-to-peer
type login.  as i recall WFW back in 1994, i don't remember there
being a need to *login* at all, just a correct configuration of a
"workgroup" netbios name.  However, the LINUX/SAMBA server provides a
*domain* login for the windoze users, *or else* please tell me how it
is that their *Microsoft Family* configuration can have a "login to
Windows NT domain" checkbox checked with the domain name configured,
and people logging in successfully?  my LINUX/SAMBA server has a
NETLOGON directory also for these domain logins.  But this manager
claims that all this is not true *and* not open for discussion.

there is one guy i can go to with this if i can provide hard evidence
*that is easy to understand* for semi-technical people in management.
in my view, the fact that the windoze client machines have the NT
domain login box checked and *do* successfully login to the
LINUX/SAMBA server is sufficient evidence.

again, he claims that a W2K server will *never* relinquish the PDC
status if another w2K configured as a PDC joins the network

 
 
 

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by Doug Freyubrg » Sat, 23 Mar 2002 01:20:47



> again, he claims that a W2K server will *never* relinquish the PDC
> status if another w2K configured as a PDC joins the network

So plug one in and prove him, uhm, right.  Then continue interviewing.
 
 
 

samba: force LINUX NMB to ALWAYS obtain master browser status

Post by Liam Cunningha » Sat, 13 Apr 2002 12:01:01






>> > Is that a known fact?
>> > Would a Windoze 2000 server also lose the domain master status to his
>> > laptop?

>> I have seen this problem in person on NT-3 and NT-4 domains.  I can't
>> say on Win-2K domains because all of the ones I've used have been
>> straight DNS based.

> well, the decion has been made: switch the file server to windoze 2000.
> no tests, no questions, no discussion.

>> > He is a manager and has the authority to do as he pleases without
>> > advising us.  He feels he needs to "test" us.  He has full support of
>> > management, who are not technical.

>> You have started interviewing to get out from under this doofus, I
>> hope.

>> > > > the guy is a network engineer who deliberately did this to show
>> > > > that Linux Samba cannot handle this kind of situation and
>> > > > maintain its master browser status (says he).  he is also a
>> > > > manager.

>> > > Not really: This is not a "Linux Samba" problem. It's a Microsoft
>> > > problem that Samba can't fix.

>> > Therefore, in *their* view [i.e. Management] it is a LINUX/UNIX
>> > fault.

>> Here's where my course on action comes in.  Plug into a Win-2K LAN.  Do
>> the exact same thing.  Watch what happens.  Do it with this person
>> watching. He can test your Linux/Unix boxes, so you have a positive
>> mandate to test his ones.  When the Win-2K boxes have the exact same
>> reaction.

> i hope you're right about this
> this manager claims that the SAMBA domain login is not a *true* NT/W2K
> "domain" login.  he claims it is a "Windows Workgroup" peer-to-peer type
> login.  as i recall WFW back in 1994, i don't remember there being a
> need to *login* at all, just a correct configuration of a "workgroup"
> netbios name.  However, the LINUX/SAMBA server provides a *domain* login
> for the windoze users, *or else* please tell me how it is that their
> *Microsoft Family* configuration can have a "login to Windows NT domain"
> checkbox checked with the domain name configured, and people logging in
> successfully?  my LINUX/SAMBA server has a NETLOGON directory also for
> these domain logins.  But this manager claims that all this is not true
> *and* not open for discussion.

> there is one guy i can go to with this if i can provide hard evidence
> *that is easy to understand* for semi-technical people in management. in
> my view, the fact that the windoze client machines have the NT domain
> login box checked and *do* successfully login to the LINUX/SAMBA server
> is sufficient evidence.

> again, he claims that a W2K server will *never* relinquish the PDC
> status if another w2K configured as a PDC joins the network

Samba is quite capable of acting as a NT-Domain controller ( you will
need to carefully read

Quote:> login box checked and *do* successfully login to the LINUX/SAMBA server
> is sufficient evidence.

> again, he claims that a W2K server will *never* relinquish the PDC
> status if another w2K configured as a PDC joins the network

Samba is quite capable of acting as a NT-Domain controller ( you will
need to carefully read the documentation). The caveates
are that it cannot act in a trust relationship with other NT systems (ie.
no slave controllers), and it cannot participate in a W2K active-directory
(yet). However, any system you run it on will have a tendency
to be more stable than those systems from MS ( of course, I'm just a
little biased in that respect ).
Your manager could be right about W2K never reliquishing PDC status. Of
course that would mean that you would never be able to replace it. Not even
with another W2K system. A scenario which I find find rather disturbing.
(there's that bias again) Of course you could just shut the W2K system
off and use it as the boat anchor it was meant to be ;-).
 
 
 

1. samba: force LINUX NMB to ALWAYS obtain master browser status

some wiseguy on the subnet configured his Windoze laptop to oslevel =
65 and then began obtaining login requests for our windoze clients
(who, of course, could not login).

imagine the hell this raised.

the guy is a network engineer who deliberately did this to show that
Linux Samba cannot handle this kind of situation and maintain its
master browser status (says he).  he is also a manager.

in the past our solution has always been to locate the offending
machine and knock down the oslevel.  Our Samba configuration is set
for master browser = yes, domain logins = yes, oslevel = 65.

IS there a way to ensure that no other NMB machine on the network,
regardless of his OS level, can steal the master status of the Samba
machine?

If there is no way to prevent another machine from using oslevel = 65
and obtaining the master status, then this could be the end of the
LINUX machine handling the 70 GIG of data as our fileserver.

BTW i added WINS to the dhcpd.conf by adding "netbios-name-servers
[addr of samba server" in the hopes that it would override any other
rogue browser server trying to answer NETBIOS requests from the
windoze machines.

i don't know if this will fix the problem.
can anyone tell me from their experience if they were able to solve
this problem?  and TIA

2. How to setup non-IP virtual hosts

3. SAMBA mysteriously stopped working - something about being a master browser

4. Newbie: Linux SCSI install Problem

5. Samba 1.9.18p7 Win NT 4.0 SERVER, Master Browser Problem

6. IDOL4 question

7. Master Browser problems with Samba

8. problems with ftp on 2.5.1

9. Master Browser problem with samba...

10. Samba 1.9.18p7 Win NT 4.0 SERVER, Master Browser Problem

11. How to make Linux act as a Windows Master Browser

12. Couldn't open status file /var/lock/samba/STATUS....LCK

13. Samba/NMB - Neighborhood