domain_client_validate() in smbd/password.c
Ken Weaverling
weave at hopi.dtcc.edu
Wed Feb 17 17:18:25 GMT 1999
On Thu, 18 Feb 1999, Luke Kenneth Casson Leighton wrote:
> On Thu, 18 Feb 1999, Ken Weaverling wrote:
>
> > What am I missing here please...
> >
> > In domain_client_validate, it gets passed the domain name of the
> > client in char *domain. (in rev 2.0.2 at least)
> >
> > That eventually gets sent to the NT server in cli_nt_login_network().
> >
> > The problem I see is if the client's domain (workgroup) isn't the same as
> > the NT servers, it fails with NT_NO_SUCH_USER.
>
> absolutely correct behaviour.
Thanks for replying. Excuse my UNIX-centric lack-of-NT knowledge, but then
is it not possible for a standard NT server to share resources to systems
not a member of its own domain (or a trusted one)?
Also, it can't be a security thing, because I can use smbclient with -W
and "get in" if I identify the correct domain, even if the client using
smbclient is a member of some other domain/workgroup.
> > The bottom-line of this is that samba in security=domain will not allow
> > anyone to authenticate unless their PC is in the same domain as Samba and
> > the NT password server. PCs in simple workgroups are locked out.
>
> correct.
>
> security = domain makes the samba server a member of the domain.
So then there is more to the difference between security=server and
security=domain from a samba administrator's point than is explained in
the docs. Perhaps this should be parked in the docs since it's tripping up
others.
Thanks again.
More information about the samba-technical
mailing list