NT user authentication

Andrej Borsenkow borsenkow.msk at sni.de
Mon Dec 7 11:37:02 GMT 1998

> >
> > 1. NT WS user != NT Domian user even if the name is the same.
> true, they are in different  SAM databases.
> > Why you deny it     to SAMBA?
> deny what?  sorry, your question is ambiguous.

I am sorry, my english sometimes slips me ...

Adding _existing_ NT workstation to _exisiting_ NT domain does not
automagically promote _exisiting_ NT workstation users to NT domain users.
Not even if no user with the same name exists in NT domain. And this
(promoting) is exactly what current SAMBA does.

And think about pure technical difficulties. Domain user belongs to some
domain group(s). And if user names are the same in NT domain and on Unix,
and even if they mean the same user (mostly they do) I bet there is no group
"Domain users" on any other NT group on Unix. You have to setup them first
... that is, you need setup quite a bit anyway ... then why not setup users
at the same time?

Adding Unix to NT domain may require quite complex setup. And it is my firm
feeling, that everything should be done explicitly. There is no place for
defaults. If you cannot decide what credentials a given user gets on Unix -
be on safe side and deny any connection.

In other words - either Domain (_any_ Domain) user is explicitly mapped to
Unix - or it is denied access.


More information about the samba-ntdom mailing list