security = DOMAIN??

Matthias Wächter matthias at
Tue May 25 15:31:45 GMT 1999

On Tue, 25 May 1999, Jae Chi wrote:

> I actually don't have a PASSWORDSERVER set up. I had
> %m. But that didn't make any difference. And I
> remember reading that says I shouldn't have the samba
> server as the password server because it would cause
> the system to go into infinite loop or something. What
> should it be set to?
> I downloaded the code from the CVS tree last Friday.


Read the FAQ and/or the help file about "security=", especially

If you want to have a PDC you mustn't use "security=DOMAIN". This setting
would authenticate using _another_ server, and in difference to
"security=SERVER", to another PDC. So: If you setup "security=DOMAIN" and
"%m" as the password server, Samba tries to validate a login by calling
itself. This way, it tries to validate using itself and since in this case
it should call itself, it goes into a loop never returning from that.
Using "security=DOMAIN" disables any local user authentification!!!

Simply spoken: Don't ever use "security=DOMAIN" unless you want to
authenticate by another PDC actually capable of doing the authentication
by itself.

If you just want to set up a standalone PDC server (f.e. as a replacement
or an equivalent to a Windows NT PDC), set up "security=USER". Neither
"SERVER" nor "DOMAIN" is correct and both of them will produce a lot of
problems (and unclear log file entries).

To all the others: Again, let me ask for a redesign of the "security="
setting, please!

User authentication=Local/OtherServer/OtherDomainController

Sehr Wus,
- Matthias

Bunt ist das Dasein und granatenstark. Und: Volle Kanne, Hoschis!
                         aus: "Bill und Teds verrückte Reise durch die Zeit"

More information about the samba-ntdom mailing list