Samba as Domain Controller

Richard Sharpe sharpe at ns.aus.com
Fri Mar 2 19:08:47 GMT 2001 

Hi,

I thought it might be useful to clarify the issues around all this, as
there seems to be some confusion.

One can say that it started with IBM, when they developed the SMB protocol.

A part of the SMB protocol involves connecting to shares, and when you
connect to a share, you can submit a password for that share.  This
functionality was in the SMB protocol when IBM developed it.  This is
handled by the TCON and TCONX SMBs.

Later, the ability to submit a username and password was added to the
protocol. This allows you to authenticate as a user on a particular server.
You can have a different username and password on each server, but this is
not needed when you connect to machines like Win9X for sharing, as they do
not have a user database.  You woould only authenticate in this way against
a multi-user machine with a database. This is handled by a SESSIONSETUPX
request.  This has been around for a long time as well.

Over time, it was perceived that this was too difficult, so MS and others
developed the concept of domain controllers, and centralized all those
databases.  These domain controllers allow you to do a NetWkstaLogon
request to logon to the domain. It does not do much more than check when
the user is allowed to log on and return info like the home share, since
the actual authentication is done via a SESSIONSETUPX prior to the
NetWkstaLogon request being sent.  Once the user has logged on to the
domain, they still authenticate against other servers in the domain when
they connect to those servers, but the servers may do pass-thru
authentication.  This is essentially the form of logon that Win9X systems do.

However, over time, this too was perceived to have problems, esp with
security issues, so MS developed NT Domain Controllers, which use MSRPC
(encrypted RPCs) to handle the logon process, which can now return more
info etc.

Samba has been able to handle WfW/Win9X style domains for a long time.

Samba 2.2.0CVS now handles NT-style domains fairly well as well.


Regards
-------
Richard Sharpe, sharpe at ns.aus.com
Samba (Team member, www.samba.org), Ethereal (Team member, www.ethereal.com)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba

More information about the samba-ntdom mailing list