domain_client_validate() in smbd/password.c

Luke Kenneth Casson Leighton lkcl at switchboard.net
Wed Feb 17 20:58:11 GMT 1999


On Thu, 18 Feb 1999, Ken Weaverling wrote:

> On Thu, 18 Feb 1999, Luke Kenneth Casson Leighton wrote:
> 
> > On Thu, 18 Feb 1999, Ken Weaverling wrote:
> > 
> > > What am I missing here please...
> > > 
> > > In domain_client_validate, it gets passed the domain name of the
> > > client in char *domain. (in rev 2.0.2 at least)
> > > 
> > > That eventually gets sent to the NT server in cli_nt_login_network().
> > > 
> > > The problem I see is if the client's domain (workgroup) isn't the same as
> > > the NT servers, it fails with NT_NO_SUCH_USER.
> > 
> > absolutely correct behaviour.
> 
> Thanks for replying. Excuse my UNIX-centric lack-of-NT knowledge, but then
> is it not possible for a standard NT server to share resources to systems
> not a member of its own domain (or a trusted one)?

yes, with the correct permissions or with a local workstation account.
 
> Also, it can't be a security thing, because I can use smbclient with -W
> and "get in" if I identify the correct domain, even if the client using
> smbclient is a member of some other domain/workgroup.

yes but you don't have the option, with an nt client, of specifying the
domain except with net use \\server\share /user:WG/username and other
similar mechanisms.

> So then there is more to the difference between security=server and
> security=domain from a samba administrator's point than is explained in
> the docs. Perhaps this should be parked in the docs since it's tripping up
> others.

true.  eventually we will have trust relationships set up and everything
will be hunky-dory.  with security = server it does an "Authenticated
User" login rather than a "Domain User" login.

luke



More information about the samba-technical mailing list