security = domain & security = user mixing.... Is it possible?

Andy Bakun abakun at reac.com
Wed Apr 28 22:01:06 GMT 1999 

I had a similar setup when I converted our network over from an NT PDC to a
samba PDC.

You need to use netbios aliases.  Say your machine is named SAMBA. Put the
following in the smb.conf file:

  netbios aliases = DOMMEMBER

Then, create two configuration files, one named smb.conf.SAMBA and one named
smb.conf.DOMMEMBER

In smb.conf.SAMBA, put your

  security = user

line and any other lines related to security = user (like the path to
smbpasswd, etc).
In smb.conf.DOMMEMBER, put

  security = domain

and other parameters related to security = domain, like password server =,
etc.

The people who access the machine as \\DOMMEMBER from their workstations will
be authed via the password server, and those who access it via \\SAMBA will be
authed against the smbpasswd file.  Ideally, all the share definitions will be
shared between both "virtual servers", so no matter if the users access it as
\\SAMBA or as \\DOMMEMBER, they should see the same shares.

You'll still need to create accounts on the samba machine for those security =
server accounts, or you can use the user name map file to map them all to a
common account, I guess, but I never tried this).

Rolando Berrios wrote:

> Hey all,
>
> I've read through the documentation and (unless I'm an idiot) I can't find
> a resolution to this problem.  I'm trying to move from a workstation style
> setting, using pretty much only NT desktop machines, to a NT domain style
> network.
>
> The problem is that we have a few people who won't be joining the domain
> and will need to access the SAMBA shared (file/print)server that is
> running in the security = domain setting.  After wondering to myself why
> the users weren't able to log onto the Linux box running SAMBA, I tried
> looking at the log files and I got this:
>
> ....[snip]
> [1999/04/28 17:11:33, 0] rpc_client/cli_netlogon.c:cli_net_sam_logon(371)
>   cli_net_sam_logon: NT_STATUS_NO_SUCH_USER
> [1999/04/28 17:11:33, 0] smbd/password.c:domain_client_validate(1365)
>   domain_client_validate: unable to validate password for user rberrios in
> domain NT-TESTDOMAIN to Domain controller TESTDOMAINCONTROLLER. Error was
> NT_STATUS_NO_SUCH_USER.
> ....[snip]
>
> After that it attempted to find the user on the SAMBA server in the
> smb_passwd file, of which there was no such user.
>
> When I try to connect to an NT server that's part of the domain and the
> account I'm using is not a domain account, but a local one, I don't run
> into any errors - I simply have to enter the domain account username and
> password pair and I'm in.
>
> Is this functionality not supported?  Or are there some configuration
> options that I've screwed up?
>
> Any help would be very much appreciated.

More information about the samba-ntdom mailing list