domain_client_validate() in smbd/password.c

Ken Weaverling weave at
Thu Feb 18 12:18:51 GMT 1999

On Wed, 17 Feb 1999, Jeremy Allison wrote:

> By causing Samba to drop the "DOM" part of the user
> name the PDC will automatically assume it's own domain
> - which may not be what you want. For instance, "DOM1\fred"
> probably has a differnt password to "DOM2\fred", and
> if you just send the authentication request as "fred"
> to the PDC for DOM1, then a (potentially valid) DOM2\fred
> login would be denied.

Makes sense and actually solves another issue with NT I hate. That if you
happen to have two separate domains and have the same password on each,
you get authenticated without warning.

Example, if I have two PDCs in different domains but foolishly give
Administrator the same password on both, you get full access to both
domains without warning.  This shocked me once when I set up a test PDC on
a test domain and found I could administer our main domain from it.

<whine>but it doesn't solve MY problem!</whine>

> Maybe we could make it a parameter "force domain" or
> something to allow the Samba admin to force all domain
> logins to appear to be from a certain domain ?

That would be very useful to us and others from what I have heard. It will
also add yet another config possibility to Samba to allow it to work
better for the end users while driving some Ziff-Davis reporters to whine
about how Samba isn't easy to administer because there are too many
configuration options! :-)

If not, I'll just keep a patching!


Ken Weaverling  (weave @  WHOIS: KJW
 Manager of Computer Support and Applications
   Delaware Technical & Community College

More information about the samba-technical mailing list