Fudging domain support - samba 2.2.0

Ian MacPhedran Ian_MacPhedran at engr.USask.Ca
Fri Apr 20 19:47:10 GMT 2001 

Hi;
There is likely a supported way around this problem, but it wasn't
immediately apparent to me. So, I created the enclosed patch to fix my
problem.

What I would like to do is the following:
 - run samba in "security = domain"
 - not use trusted domains, but allow people to connect from other domains
 - not maintain a local encrypted password file for samba, but instead use
   our domain server to authenticate all users

What the fix does is have samba lie to itself as to what domain the
request came from. This may have security implications, which I've
ignored.

I used the enclosed fix on samba 2.0.7 and that has worked for us for some
time. There do not seem to be any problems so far in my tests of 2.2.0.
(The enclosed patch is for 2.2.0. Note that I have not done any ifdefs or 
similar.)

Please let me know if I'm missing a method of doing this via the normal
configuration file.

Thanks for your work on this program. The ACL support in 2.2.x is very
handy, and the print driver support (while exceedingly slow in adding new 
print drivers to the server) will be useful as well.

Ian.
----------------------------------------------------------------------------
Ian MacPhedran,    Engineering Computer Centre,   2B13 Engineering Building,
University of Saskatchewan,  57 Campus Drive,  Saskatoon SK  S7N 5A9, CANADA
Phone: (306)966-4832 Fax: (306)966-5205  Email: Ian_MacPhedran at engr.USask.CA
-------------- next part --------------
*** orig/samba-2.2.0/source/smbd/reply.c	Thu Apr 12 22:09:39 2001
--- samba-2.2.0/source/smbd/reply.c	Wed Apr 18 15:59:55 2001
***************
*** 616,623 ****
    if(lp_security() != SEC_DOMAIN)
      return False;
  
!   if (!check_domain_match(orig_user, domain))
!      return False;
  
    ret = domain_client_validate(orig_user, domain,
                                  smb_apasswd, smb_apasslen,
--- 616,625 ----
    if(lp_security() != SEC_DOMAIN)
      return False;
  
!   if (!check_domain_match(orig_user, domain)) {
!      DEBUG(0,("Domain %s remapped to %s\n",domain,global_myworkgroup));
!      domain = global_myworkgroup;
!   }
  
    ret = domain_client_validate(orig_user, domain,
                                  smb_apasswd, smb_apasslen,
***************
*** 927,932 ****
--- 929,938 ----
     * security=domain.
     */
  
+   
+   DEBUG(0,("Domain %s remapped to %s\n",domain,global_myworkgroup));
+   domain=global_myworkgroup;
+  
    if (!guest && !check_server_security(orig_user, domain, user, 
           smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen) &&
        !check_domain_security(orig_user, domain, user, smb_apasswd,

More information about the samba mailing list