Samba as Domain Controller
Greg J. Zartman
greg at kwikfind.com
Fri Mar 2 23:12:59 GMT 2001
Well, now that I have the attention of the development team, I might as well
ask a question. :o)
Is it possible to change a users password, on a Samba PDC setup, from the
client workstation (say win2k). So, the user presses CTRL-ALT-DEL on the
client machine and selects change password? When I try this I get a really
strange error "1783: The stub received bad data".
Is this a password sync issue? That's what people have been telling me, but
was under the impression that password snyc was the operation of updating
the passwd file with changes in the smbpasswd file.
----- Original Message -----
From: "Richard Sharpe" <sharpe at ns.aus.com>
To: "Kristyan Osborne" <kris.ozzy at lineone.net>; "Craig Kelley"
<ink at inconnu.isu.edu>
Cc: "samba" <samba-ntdom at us4.samba.org>
Sent: Friday, March 02, 2001 11:08 AM
Subject: Re: RE: Samba as Domain Controller
> I thought it might be useful to clarify the issues around all this, as
> there seems to be some confusion.
> One can say that it started with IBM, when they developed the SMB
> A part of the SMB protocol involves connecting to shares, and when you
> connect to a share, you can submit a password for that share. This
> functionality was in the SMB protocol when IBM developed it. This is
> handled by the TCON and TCONX SMBs.
> Later, the ability to submit a username and password was added to the
> protocol. This allows you to authenticate as a user on a particular
> You can have a different username and password on each server, but this is
> not needed when you connect to machines like Win9X for sharing, as they do
> not have a user database. You woould only authenticate in this way
> a multi-user machine with a database. This is handled by a SESSIONSETUPX
> request. This has been around for a long time as well.
> Over time, it was perceived that this was too difficult, so MS and others
> developed the concept of domain controllers, and centralized all those
> databases. These domain controllers allow you to do a NetWkstaLogon
> request to logon to the domain. It does not do much more than check when
> the user is allowed to log on and return info like the home share, since
> the actual authentication is done via a SESSIONSETUPX prior to the
> NetWkstaLogon request being sent. Once the user has logged on to the
> domain, they still authenticate against other servers in the domain when
> they connect to those servers, but the servers may do pass-thru
> authentication. This is essentially the form of logon that Win9X systems
> However, over time, this too was perceived to have problems, esp with
> security issues, so MS developed NT Domain Controllers, which use MSRPC
> (encrypted RPCs) to handle the logon process, which can now return more
> info etc.
> Samba has been able to handle WfW/Win9X style domains for a long time.
> Samba 2.2.0CVS now handles NT-style domains fairly well as well.
> Richard Sharpe, sharpe at ns.aus.com
> Samba (Team member, www.samba.org), Ethereal (Team member,
> Contributing author, SAMS Teach Yourself Samba in 24 Hours
> Author, Special Edition, Using Samba
More information about the samba-ntdom