security = domain & security = user mixing.... Is it possible?

Thu Apr 29 08:49:34 GMT 1999

Hi Andy

Got the same problem as Roland. I have an NT PDC and we want to use my
samba server as the file server. It works fine, until you want to
connect a person that is not of the NT domain :( 

I tried your idea. It seems that the samba server uses the DOMAIN
security every time.
It looks like it will work. How does your main smb.conf file look like ?
I think my problem might lay there. What kind of "security= ???" do you
use in the main smb.conf file or does it matter.

Thanks a million

Nardus Geldenhuys
South Africa
Andy Bakun wrote:
> 
> I had a similar setup when I converted our network over from an NT PDC to a
> samba PDC.
> 
> You need to use netbios aliases.  Say your machine is named SAMBA. Put the
> following in the smb.conf file:
> 
>   netbios aliases = DOMMEMBER
> 
> Then, create two configuration files, one named smb.conf.SAMBA and one named
> smb.conf.DOMMEMBER
> 
> In smb.conf.SAMBA, put your
> 
>   security = user
> 
> line and any other lines related to security = user (like the path to
> smbpasswd, etc).
> In smb.conf.DOMMEMBER, put
> 
>   security = domain
> 
> and other parameters related to security = domain, like password server =,
> etc.
> 
> The people who access the machine as \\DOMMEMBER from their workstations will
> be authed via the password server, and those who access it via \\SAMBA will be
> authed against the smbpasswd file.  Ideally, all the share definitions will be
> shared between both "virtual servers", so no matter if the users access it as
> \\SAMBA or as \\DOMMEMBER, they should see the same shares.
> 
> You'll still need to create accounts on the samba machine for those security =
> server accounts, or you can use the user name map file to map them all to a
> common account, I guess, but I never tried this).
> 
> Rolando Berrios wrote:
> 
> > Hey all,
> >
> > I've read through the documentation and (unless I'm an idiot) I can't find
> > a resolution to this problem.  I'm trying to move from a workstation style
> > setting, using pretty much only NT desktop machines, to a NT domain style
> > network.
> >
> > The problem is that we have a few people who won't be joining the domain
> > and will need to access the SAMBA shared (file/print)server that is
> > running in the security = domain setting.  After wondering to myself why
> > the users weren't able to log onto the Linux box running SAMBA, I tried
> > looking at the log files and I got this:
> >
> > ....[snip]
> > [1999/04/28 17:11:33, 0] rpc_client/cli_netlogon.c:cli_net_sam_logon(371)
> >   cli_net_sam_logon: NT_STATUS_NO_SUCH_USER
> > [1999/04/28 17:11:33, 0] smbd/password.c:domain_client_validate(1365)
> >   domain_client_validate: unable to validate password for user rberrios in
> > domain NT-TESTDOMAIN to Domain controller TESTDOMAINCONTROLLER. Error was
> > NT_STATUS_NO_SUCH_USER.
> > ....[snip]
> >
> > After that it attempted to find the user on the SAMBA server in the
> > smb_passwd file, of which there was no such user.
> >
> > When I try to connect to an NT server that's part of the domain and the
> > account I'm using is not a domain account, but a local one, I don't run
> > into any errors - I simply have to enter the domain account username and
> > password pair and I'm in.
> >
> > Is this functionality not supported?  Or are there some configuration
> > options that I've screwed up?
> >
> > Any help would be very much appreciated.