Password Server Functionality Questions
Jesse A. Adams
adamsje at ENGR.ORST.EDU
Tue Nov 10 23:36:29 GMT 1998
Our massively successful samba (18p10) box houses the bulk of our NT
domain files, including profiles and domain-wide shares. I'm basically
a straight NT guy, with little grasp on unix, and am having a hard time
swallowing the password server option from an NT perspective. We do
have the password server option pointing to our PDC.
>From smb.conf(5) docs: "By specifying the name of another SMB server
(such as a WinNT box) with this option, and using "security = server"
you can get Samba to do all its username/password validation via a
remote server." It is my understanding that our samba server is going
through a password authentication process the first time a user maps a
samba share (this was confirmed through audited logon/off events). As
in, a user maps a samba share, samba asks for a username and password,
and sends it off to the "password server" for authentication. When the
"password server" says the user is golden, the samba server allows the
share to be mapped and all's finished.
Mark Minasi, on page 61 of "Mastering Windows NT Server 4, 4th ed.,"
goes through a straight NT-to-NT handshaking process. The PDC (or BDC)
gives you a security access token (SAT) identifying your credentials
when you authenticate and login. Every time you connect to an NT share,
the SAT (not username/password) is sent to the share and referenced
against the share's approved users.
We also keep our user's roaming profiles on our samba file server. The
above mentioned difference is enough, I believe, to cause a bit of lag
when logging in. The PDC is, in effect, authenticating a user twice
(once to get to the desktop normally, and again from the samba side).
Not to get way out of hand, but if the detect slow network's
slowlinktimeout value is set to it's default of 2000, a user logging in
sees "A slow network has been detected" (this message doesn't show up if
the slowlinktimeout value is around 9000). Also, even with the
slowlinktimeout value at 2000, if the samba version is 17p2 we don't get
this message, or lag, while at 18p10 we do. According to MS' white
papers on "Profiles & Policies," "To detect a slow network, the
operating system computes the amount of time it takes to receive a
response from the server." Since profiles live on the samba server, it
is my belief the double-authentication, back to back at login, is
causing enough of a bump for NT to think (in only this case) it is
dealing with a slow network.
Hopefully someone has some insight into all of this. I've gone through
all the diffs between 17p2 and 18p10 with little success, and can only
think this issue arose out of undocumented or insubstantial changes made
between the two versions.
Unc. Jess Adams
adamsje at engr.orst.edu
The Golden Rule to Arts & Sciences:
Whoever has the gold, makes the rules.
More information about the samba-ntdom