NT user authentication

Andrej Borsenkow borsenkow.msk at sni.de
Thu Dec 3 14:15:00 GMT 1998


>
> Yes this is how it works. It is also how Samba 2.0 works
> also. Don't know about the HEAD branch as that has so
> widely diverged at the moment.
>


Mostly the same ... There is one thing that nags me. The followin applies to
2.1 branch.

The SAMBA as member of NT poses a problem, what to do if Unix user with the
same name as domain user exists, but does not have explicit NT->Unix
mapping. Luke writes, that any user not explicitly mapped is assumed to be
local. This is _not_ as it currently works (and is a bit different anyway)

The possible ways to deal with such users can be

1. automatically generate Unix account

    quite suitable for dedicated SAMBA server without interactive access.
You simply
    plug it onto NT domain and let running.

2. reject these users (remember, they _are_ authenticated from PDC already)

    it may be quite reasonable for Unix admins wishing full control over who
can connect to there
    box. Anything not allowed is prohibited ... The user may be presented
with something like
    "local policy not allows you to connect" (if at all possible) To
connect, such users would
    need to specify SAMBA domain and be authenticated with local password
database - again
    completely under control of local admin

3. connect with guest (or any fallback account)

    mild version of 2, that provides for anonymous file server for large
amount of users, while
    giving Unix admin the same level of control. The only problem is, it may
be a bit unexpected
    for users ...

4. connect with matching Unix user rights

    the worst case. It means, that it is possible to simply create matching
NT account
    and access SAMBA server as Unix user. What is even worse, if there are
trusted domains,
    then such user can be created in _any_ trusted domain - it is a bit too
much for me

For any server that is not used exclusively for SAMBA I favour the 2 and 3
with smb.conf option to control behaviour. Current SAMBA implements 4 -
sigh.

/andrej



More information about the samba-ntdom mailing list