security = domain & security = user mixing.... Is it possible?

Wed Apr 28 23:19:44 GMT 1999

It sounds like that'll work, and I appreciate the advice - I haven't had a
chance to test it, but shouldn't SAMBA validate the users correctly?  It
seems like the DOMAIN that isn't being validated on the SAMBA server is
the DOMAIN I'm logging in as, in this case the local hostname.  When I try
with an NT machine, I'm validated fine, and I get the correct shares as
well.  Is this a difficiency in SAMBA?

On Thu, 29 Apr 1999, Andy Bakun wrote:

> Date: Thu, 29 Apr 1999 08:23:32 +1000
> From: Andy Bakun <abakun at reac.com>
> To: Multiple recipients of list <samba-ntdom at samba.org>
> Subject: Re: security = domain & security = user mixing.... Is it possible?
> 
> I had a similar setup when I converted our network over from an NT PDC to a
> samba PDC.
> 
> You need to use netbios aliases.  Say your machine is named SAMBA. Put the
> following in the smb.conf file:
> 
>   netbios aliases = DOMMEMBER
> 
> Then, create two configuration files, one named smb.conf.SAMBA and one named
> smb.conf.DOMMEMBER
> 
> In smb.conf.SAMBA, put your
> 
>   security = user
> 
> line and any other lines related to security = user (like the path to
> smbpasswd, etc).
> In smb.conf.DOMMEMBER, put
> 
>   security = domain
> 
> and other parameters related to security = domain, like password server =,
> etc.
> 
> The people who access the machine as \\DOMMEMBER from their workstations will
> be authed via the password server, and those who access it via \\SAMBA will be
> authed against the smbpasswd file.  Ideally, all the share definitions will be
> shared between both "virtual servers", so no matter if the users access it as
> \\SAMBA or as \\DOMMEMBER, they should see the same shares.
> 
> You'll still need to create accounts on the samba machine for those security =
> server accounts, or you can use the user name map file to map them all to a
> common account, I guess, but I never tried this).
> 
> Rolando Berrios wrote:
> 
> > Hey all,
> >
> > I've read through the documentation and (unless I'm an idiot) I can't find
> > a resolution to this problem.  I'm trying to move from a workstation style
> > setting, using pretty much only NT desktop machines, to a NT domain style
> > network.
> >
> > The problem is that we have a few people who won't be joining the domain
> > and will need to access the SAMBA shared (file/print)server that is
> > running in the security = domain setting.  After wondering to myself why
> > the users weren't able to log onto the Linux box running SAMBA, I tried
> > looking at the log files and I got this:
> >
> > ....[snip]
> > [1999/04/28 17:11:33, 0] rpc_client/cli_netlogon.c:cli_net_sam_logon(371)
> >   cli_net_sam_logon: NT_STATUS_NO_SUCH_USER
> > [1999/04/28 17:11:33, 0] smbd/password.c:domain_client_validate(1365)
> >   domain_client_validate: unable to validate password for user rberrios in
> > domain NT-TESTDOMAIN to Domain controller TESTDOMAINCONTROLLER. Error was
> > NT_STATUS_NO_SUCH_USER.
> > ....[snip]
> >
> > After that it attempted to find the user on the SAMBA server in the
> > smb_passwd file, of which there was no such user.
> >
> > When I try to connect to an NT server that's part of the domain and the
> > account I'm using is not a domain account, but a local one, I don't run
> > into any errors - I simply have to enter the domain account username and
> > password pair and I'm in.
> >
> > Is this functionality not supported?  Or are there some configuration
> > options that I've screwed up?
> >
> > Any help would be very much appreciated.
> 