Samba 1.9.19pre-alpha as NT domain Client

Dries, Joseph joseph.dries at lmco.com
Fri Aug 21 01:30:49 GMT 1998 

Sorry in advance for being verbose...

> -----Original Message-----
> From:	Jeremy Allison [SMTP:jallison at cthulhu.engr.sgi.com]
> Sent:	Thursday, August 20, 1998 12:49 PM
> To:	Multiple recipients of list
> Subject:	Re: Samba 1.9.19pre-alpha as NT domain Client
> 
> Gerald Carter wrote:
> > 
> > 
> > > As a side note, if there is a user account in the resource domain,
> > > and a user account in the ACCT domain, (and the user is logged into
> > > the NTworkstation as ACCT\uname), which account does the samba server
> > > try to authenticate?
> > 
> > Good question?  Jeremy?  Luke?
> 
> The CVS code forwards both the Domain and the user name
> to the remote PDC/BDC - exactly as NT does. So if the Samba
> server is in the resource domain, and the resource PDC trusts
> the account PDC then the authentication should be done in
> the account domain. I haven't got a complex domain setup
> here at SGI (but the IS people are building one) so I can't
> test it at present - but be sure that SGI will be eating
> my dogfood (to use a Microsoft phrase) once we have it set
> up :-).
> 
	Hmmm. I managed to get everything working today. What ended up
happening, and why the last question I asked, and you answered above, was
important is this: I had an account in both the ACCT domain, and the
RESOURCE domains. The accounts had the same NT account name. But they had
different passwords. This normally wasn't an issue, I can normally log into
RES domain resources w/o problems using my ACCT\uname account. Naturally I
could access RES resources with my RES\uname account. I could NOT access any
Samba shared resources with my account however, neither the RES\uname nor
the ACCT\uname.

	When I was prompted for an account and logon, when I entered
RES\uname it gave me an error about Credentials being different. When I
entered just my account name, it just gave me access denied. When I entered
ACCT\uname (which I was logged in as on the NTW) it also gave me access
denied.

	I then logged into RES\uname and changed the password to match that
of my ACCT\uname. From then on the Samba share worked. It also works for
ACCT\uname accounts that don't have a matching RES\uname account, or
ACCT\uname accounts that had a matching RES\uname and synchronized
passwords.

	Therefore it sounds as if something isn't being done quite right.
Normal NTS and NTW machines could differentiate between my ACCT\uname and
RES\uname accounts, but the Samba CVS code didn't seem to. I have my work
around right now. Have accounts exist in EITHER RES\uname, or ACCT\uname
form. Or if it exists in both, make sure the passwords are synchronized.
However that's not the correct behavior.

	I did notice on our Network Appliance Filer (OS ver 5.1R1) that in
the /etc/usermap.cfg file you can specify DOM\uname in the Unix<->NT name
mapping. Is that something that can be done in the smbusers file, or rather
something that _should_ be done? I do the DOM\uname mapping on my NetApp,
but in the Samba smbusers files I just list the NT account names in uname
form, not DOM\uname form.

> Having said that, the name still (at present) has to map
> to a UNIX username on the local Samba server. 'Applience'
> mode should fix this though.
> 
	Username mapping is not an issue for me, I have a process to take
care of that. What is "Applience" mode, however? I'm not familiar with that
terminology.

More information about the samba-ntdom mailing list