security = domain & security = user mixing.... Is it possible?

[Andy Bakun]

Nardus Geldenhuys wrote:

> Hi Andy
>
> Got the same problem as Roland. I have an NT PDC and we want to use my
> samba server as the file server. It works fine, until you want to
> connect a person that is not of the NT domain :(
>
> I tried your idea. It seems that the samba server uses the DOMAIN
> security every time.
> It looks like it will work. How does your main smb.conf file look like ?
> I think my problem might lay there. What kind of "security= ???" do you
> use in the main smb.conf file or does it matter.

I don't use this setup anymore, because I was using it during the migration stage
from an NT PDC to a samba PDC.  My setup actually included an NT PDC for the domain
REAC, and my samba PDC was in the domain REACNET.  People would open up network
neighorhood and see two entries (in different domains/workgroups) for the same
machine).  The client machines that I had moved over to the REACNET domain would use
the samba PDC -- for political reasons, I couldn't move all machines from the REAC
domain to the REACNET domain immediately, and had to do it over a number of weeks.

Anyway, this was my conf file setup (I'm on Redhat, so my paths may be different
than yours).  These aren't exact, I've edited them for brevity and removed the
options that didn't have to do with the focus here.  DO NOT USE THESE FILES EXACTLY
-- they most likely won't work.

--------- /etc/smb.conf file starts here ---------
[global]
        message command = rm %s
        log file = /var/log/samba/samba-%L.%m

; performance options
        read size = 32768
        socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        deadtime = 180

; networking options
        remote announce = 192.168.1.3/REAC

        netbios name = JUPITER
        netbios aliases = URANUS

        include = /etc/smb.conf.%L
--------- /etc/smb.conf file ends here ---------
Any other GLOBAL parameters, that you want shared between the two virtual file
servers should be in here also.  Stick some share definitions in there if you want.
That 'remote announce' option was important... it made sure that both virtual
servers (jupiter and uranus) showed up in network neighborhood of the machines that
were in the REAC domain.
Now, in this setup, JUPITER is the PDC of REACNET (security = user), and URANUS is
the domain member of REAC (security = server).  Note the last line, which includes a
conf file dependant on the name that the client accessed smbd as.  There are two
other conf files:

--------- /etc/smb.conf.uranus file starts here ---------
        security = server
        password server = mercury.reac.com
        username map = /etc/smb.usermap
        workgroup = REAC
        encrypt passwords = yes

# other share definitions follow
--------- /etc/smb.conf.uranus file ends here ---------
mercury.reac.com was the NT PDC for the REAC domain.  username map is important if
you don't have accounts for everyone (yet or otherwise) on your samba server!  I
believe the format or existance of the 'username map' parameter may have changed
since the samba-2.0prealpha days so you may want to check the documentation on that
one.

--------- /etc/smb.conf.jupiter file starts here ---------
        security = user
        domain admin group = domadmin
        wins support = yes
        os level = 45
        workgroup = REACNET
        domain logons = yes
        logon script = scripts/logon.bat
        logon path = \\%N\profile\%U\NTprofile
        logon drive = h:
        encrypt passwords = yes
        null passwords = yes
--------- /etc/smb.conf.jupiter file ends here ---------
Here, I've put the parameters that have to do with being a samba PDC.  Your milage
may vary.

My requirements were a little different than what you want, but this should still
work anyway for you.

Once I had put client machines into the REACNET domain, users of those machines
could still access \\mercury by using their "username and password from the old
network" (users seemed to understand that :) ).  The client machines that were still
part of the NT controlled REAC domain needed to get to the files on the new samba
server, so they would open up \\uranus, and it wouldn't prompt for a password
(because the virtual samba server uranus is using server security).  Users in the
REACNET domain would access the same files on uranus with \\jupiter.  If they used
\\uranus, they would have been prompted for the username and password for the NT
REAC domain.  I'm having trouble explaining this, actually.

I think your problem, Nardus, may be that you had a 'security=' line in the smb.conf
file, not just in the both the smb.conf.xxxxx files.

> Thanks a million

Hope this helps.

Andy.