domain_client_validate() in smbd/password.c

Ken Weaverling weave at
Wed Feb 17 14:03:05 GMT 1999

What am I missing here please...

In domain_client_validate, it gets passed the domain name of the
client in char *domain. (in rev 2.0.2 at least)

That eventually gets sent to the NT server in cli_nt_login_network().

The problem I see is if the client's domain (workgroup) isn't the same as
the NT servers, it fails with NT_NO_SUCH_USER.

The bottom-line of this is that samba in security=domain will not allow
anyone to authenticate unless their PC is in the same domain as Samba and
the NT password server. PCs in simple workgroups are locked out.

Why isn't *domain set to point to the "workgroup =" value set in smb.conf
(and hence be the same domain name as the server and samba)?

This caused us some large problems. To test this out, I just hardcoded
*domain to point to the same domain name that our samba and our NT servers
are in, and force that to be passed to domain_client_validate().  I parked
this into a production environment of hundreds of PCs a few weeks ago, and
everything now works as expected and has been ever since.

So what's the reason for passing the client's domain/workgroup and not the
workgroup/domain of the samba server to domain_client_validate()? Am I
missing something here and opening myself up to larger problems?


p.s. I asked this on comp.protocols.smb a few weeks back and got no
responses except e-mail from others saying they are having the same
problem. Hence my post to this list. Thanks.

Ken Weaverling  (weave @  WHOIS: KJW
 Manager of Computer Support and Applications
   Delaware Technical & Community College

More information about the samba-technical mailing list