NT user authentication
samba at aquasoft.com.au
Mon Dec 7 12:12:20 GMT 1998
I agree with Andrej's assertion. Any other method will buy us potential
compromise of NT Domain security. Please consider his point carefully.
John H Terpstra
On Mon, 7 Dec 1998, Andrej Borsenkow wrote:
> > >
> > > 1. NT WS user != NT Domian user even if the name is the same.
> > true, they are in different SAM databases.
> > > Why you deny it to SAMBA?
> > deny what? sorry, your question is ambiguous.
> I am sorry, my english sometimes slips me ...
> Adding _existing_ NT workstation to _exisiting_ NT domain does not
> automagically promote _exisiting_ NT workstation users to NT domain users.
> Not even if no user with the same name exists in NT domain. And this
> (promoting) is exactly what current SAMBA does.
> And think about pure technical difficulties. Domain user belongs to some
> domain group(s). And if user names are the same in NT domain and on Unix,
> and even if they mean the same user (mostly they do) I bet there is no group
> "Domain users" on any other NT group on Unix. You have to setup them first
> .. that is, you need setup quite a bit anyway ... then why not setup users
> at the same time?
> Adding Unix to NT domain may require quite complex setup. And it is my firm
> feeling, that everything should be done explicitly. There is no place for
> defaults. If you cannot decide what credentials a given user gets on Unix -
> be on safe side and deny any connection.
> In other words - either Domain (_any_ Domain) user is explicitly mapped to
> Unix - or it is denied access.
More information about the samba-ntdom