Samba as Domain Controller

George Cameron g.cameron at
Sat Mar 3 12:36:01 GMT 2001

A question (which may perhaps demonstrate that I don't understand the details
well enough or haven't been listening carefully enough ;-):

Is it possible to restrict access to shares on a Samba server to that only
clients which have performed a 'domain logon' (either Win9X style or the proper
NT style) can gain access - i.e. to refuse access to clients which have simply
been configured to be a member of the workgroup without an explicit logon?


Richard Sharpe wrote:

> Hi,
> I thought it might be useful to clarify the issues around all this, as
> there seems to be some confusion.
> One can say that it started with IBM, when they developed the SMB protocol.
> A part of the SMB protocol involves connecting to shares, and when you
> connect to a share, you can submit a password for that share.  This
> functionality was in the SMB protocol when IBM developed it.  This is
> handled by the TCON and TCONX SMBs.
> Later, the ability to submit a username and password was added to the
> protocol. This allows you to authenticate as a user on a particular server.
> You can have a different username and password on each server, but this is
> not needed when you connect to machines like Win9X for sharing, as they do
> not have a user database.  You woould only authenticate in this way against
> a multi-user machine with a database. This is handled by a SESSIONSETUPX
> request.  This has been around for a long time as well.
> Over time, it was perceived that this was too difficult, so MS and others
> developed the concept of domain controllers, and centralized all those
> databases.  These domain controllers allow you to do a NetWkstaLogon
> request to logon to the domain. It does not do much more than check when
> the user is allowed to log on and return info like the home share, since
> the actual authentication is done via a SESSIONSETUPX prior to the
> NetWkstaLogon request being sent.  Once the user has logged on to the
> domain, they still authenticate against other servers in the domain when
> they connect to those servers, but the servers may do pass-thru
> authentication.  This is essentially the form of logon that Win9X systems do.
> However, over time, this too was perceived to have problems, esp with
> security issues, so MS developed NT Domain Controllers, which use MSRPC
> (encrypted RPCs) to handle the logon process, which can now return more
> info etc.
> Samba has been able to handle WfW/Win9X style domains for a long time.
> Samba 2.2.0CVS now handles NT-style domains fairly well as well.
> Regards
> -------
> Richard Sharpe, sharpe at
> Samba (Team member,, Ethereal (Team member,
> Contributing author, SAMS Teach Yourself Samba in 24 Hours
> Author, Special Edition, Using Samba

 George Cameron     g.cameron at
 Dept. BioMedical Physics
 Aberdeen University
 Foresterhill     Fax:       +44 (0)1224-685645
 Aberdeen AB25 2ZD    Telephone: +44 (0)1224-553210
 Scotland, UK

More information about the samba-ntdom mailing list