security = domain

Ryan Koski Ryan at
Thu Aug 13 18:32:11 GMT 1998

Hmmm....  What you are saying does make sense.  However, my
understanding of the security = domain option as explained in the
SAMBA/NTDOM FAQ is that it will allow a SAMBA server to "join" an
existing domain, be it controlled by NT or another SAMBA server.  I
guess I assumed that "join" means that it becomes just like another NT
box on the network in that it doesn't need users defined locally; it
will authenticate users based on Domain (and trusted domain) user
accounts.  Of course, an NT machine would know what to do with this
info, but UNIX won't...

Our company is trying to move our developers away from working in UNIX
shell accounts via terminal emulators to working in MS Dev Studio with
SourceSafe.  We've tried using NFS with commercial NFS clients for NT,
and have a long list of reasons why we don't like doing this.  I'm
trying to sell SAMBA as an alternative solution, but it will be a hard
sell if we have to maintain the users on each UNIX box as well as on NT.
Has anyone figured out a way to "dump" the list of domain users from a
PDC to a passwd file?

Ryan Koski
Management Information Systems

		-----Original Message-----
		From:	Greg Dickie [mailto:greg at]
		Sent:	Thursday, August 13, 1998 11:22 AM
		To:	Multiple recipients of list
		Subject:	RE: security = domain

		The functionality you are refering to is with
security=server. The NTDOM stuff
		provides security=domain and lets your NT users actually
athenticate to a
		Primary Domain Controller implemented in samba. The
problem you are having is
		that your samba server may be asking the NT server to
authenticate the
		username/password pair just fine but then it has no idea
what to do with them.
		Remember samba just tries to map NT privileges to some
local user. If I log on
		to an NT domain with username greg but there is no user
greg on the samba
		machine then unless I map it to something else using
username map, I will  be
		nobody because UNIX does not know me.

		Does that make any sense?

		On 13-Aug-98 Ryan Koski wrote:
		> Well, I commented out said line and rebuilt
everything.  I can now
		> browse the shares on my SAMBA machine (the logs show
it using the
		> "nobody" account).  Interestingly, all the shares
appear in explorer
		> with names in ALL CAPS.  I can access those shares if
there is a user
		> account on the Linux box with the same name as my NT
domain username.
		> However, if I delete that user account from the Linux
box, I cannot
		> access those shares anymore.
		> Maybe I'm misunderstanding how SAMBA/NTDOM is supposed
to work.  Is it
		> supposed to be possible to get a SAMBA server to get
ALL of it's auth
		> info from an NT PDC without having to administer user
accounts on the
		> SAMBA server whatsoever?  Or do I need to have user
accounts on the
		> SAMBA server for each of my NT domain users?
		> Thanks!
		> Ryan Koski
		> Management Information Systems
		>               -----Original Message-----
		>               From:   Matthew Chapman
		> [mailto:z2232203 at]
		>               Sent:   Wednesday, August 12, 1998 6:21
		>               To:     Multiple recipients of list
		>               Subject:        Re: security = domain
		>               Ryan Koski wrote:
		>               > [1998/08/12 17:38:11, 0]
		>               >   Couldn't set gid 500 currently set
to (0,0)
		>               > [1998/08/12 17:38:11, 0]
		> smbd/server.c:make_connection(3699)
		>               >   Can't become connected user!
		>               This looks to me like another broken
'setresuid' call.
		> Strange, I
		>               thought it had been fixed in Redhat 5.1
(maybe not).
		>               Try commenting out (enclose in /* ...
*/) the #define
		>               line in config.h and do a clean
recompile ("make clean;
		> make").
		>                   Matt
		>               --
		>               Matt Chapman
		>               E-mail: mattyc at

		Greg Dickie
		Just A Guy*
		*from discreet logic
		(514) 954-7171
		greg at

More information about the samba-ntdom mailing list