auth via security = server and "Domain Users" group

thwartedefforts at thwartedefforts at
Wed Aug 19 18:37:02 GMT 1998

I just ran into a strange problem (not with samba though) when using security = server, and it may be helpful to those people who are also having problems with it.  I don't remember seeing anything about this mentioned anywhere in the documentation.

I'm in the middle of converting this entire NTS/NTW network over to being samba served and samba PDC'd.  In the interum, I've got samba running on RH5.1 with security = server and the password server pointed at our current NTS4 PDC.  I created a few accounts on linux, setup the usermap files and all worked well (people were able to get to the samba shares with their NTS PDC auth stuff), that is, until I added the remainder of the accounts and a few other people tried to access the samba machine.  It was constantly prompting for passwords, and nothing worked, unless you gave samba a username and password (from the original set of users) that previously worked.  The samba log said things like:

  trying NetWkstaUserLogon with password server MERCURY
  NetWkstaUserLogon success
  password server MERCURY gave guest privilages

Anyway, I tracked this down to the fact that some of the users were not in the NT Group named "Domain users".  After putting the users, on the PDC, into the "Domain users" group, then the NTS PDC, as samba puts it "accepted the password", and they were able to access samba okay.

I don't remember seeing anything about this in the docs, and of course, the help files on NT didn't give me any hint about this either.  I suspect that NT DC's won't perform auth for users for other machines if the user is not in the "Domain Users" group.  

Does anyone know if this is true for other NT (server and workstation) machines that have auth defered to the PDC?  I don't think this would normally be a problem unless someone decided that the default groups that exist on NT (power users, domain users, etc) are not a good idea and go and remove them or remove users from those groups (such was the case at my site).  As you can tell, I'm not much of an NT guy.

Andy Bakun

More information about the samba-ntdom mailing list