domain_client_validate() in smbd/password.c

Ken Weaverling weave at
Wed Feb 17 17:18:25 GMT 1999

On Thu, 18 Feb 1999, Luke Kenneth Casson Leighton wrote:

> On Thu, 18 Feb 1999, Ken Weaverling wrote:
> > What am I missing here please...
> > 
> > In domain_client_validate, it gets passed the domain name of the
> > client in char *domain. (in rev 2.0.2 at least)
> > 
> > That eventually gets sent to the NT server in cli_nt_login_network().
> > 
> > The problem I see is if the client's domain (workgroup) isn't the same as
> > the NT servers, it fails with NT_NO_SUCH_USER.
> absolutely correct behaviour.

Thanks for replying. Excuse my UNIX-centric lack-of-NT knowledge, but then
is it not possible for a standard NT server to share resources to systems
not a member of its own domain (or a trusted one)?

Also, it can't be a security thing, because I can use smbclient with -W
and "get in" if I identify the correct domain, even if the client using
smbclient is a member of some other domain/workgroup.

> > The bottom-line of this is that samba in security=domain will not allow
> > anyone to authenticate unless their PC is in the same domain as Samba and
> > the NT password server. PCs in simple workgroups are locked out.
> correct.
> security = domain makes the samba server a member of the domain.

So then there is more to the difference between security=server and
security=domain from a samba administrator's point than is explained in
the docs. Perhaps this should be parked in the docs since it's tripping up

Thanks again.

More information about the samba-technical mailing list