Security model in samba-2

Luke Kenneth Casson Leighton lkcl at switchboard.net
Mon Sep 7 17:10:16 GMT 1998


On Mon, 7 Sep 1998, Andrej Borsenkow wrote:

> Unfortunately, I cannot access NT domain information now (or am I wrong?) There is no way to say:
> 
> 	valid domains = ...
> 	valid domain groups = DOM1\gr1, DOM2\gr2 ...
> 	valid domain users = DOM1\user1 ...
> 
> or like.

the only work that has been done, so far, is to make samba either a
stand-alone PDC, or to make samba join a single domain.  no inter-domain
trust relationships; no BDCs.
 
> I repeat: in case of SAMBA particicpating in NT domain, the user name *only* is not enough. It simply does not provide enough authentication in case of trust relationships between domains. It is possible to emulate it, but it means, SAMBA server has to have complete knowledge of all possible domains/users/groups/hosts in any other domain.

[andrej, can you please break up your lines to a max of 70 chars per
line?  when "including" one of your messages, an entire paragraph comes
out as a single line, as demonstrated above.  thanks!]

so, at the moment, the NT "domain" model just doesn't apply.  across all
trusted domains, the user names must be unique.

hm.  what about modifying the "map username =" so that it takes the
format:
\\DOMAIN\ntusername unixusername

luke



More information about the samba-technical mailing list