domain_client_validate() in smbd/password.c
Ken Weaverling
weave at hopi.dtcc.edu
Thu Feb 18 12:18:51 GMT 1999
On Wed, 17 Feb 1999, Jeremy Allison wrote:
> By causing Samba to drop the "DOM" part of the user
> name the PDC will automatically assume it's own domain
> - which may not be what you want. For instance, "DOM1\fred"
> probably has a differnt password to "DOM2\fred", and
> if you just send the authentication request as "fred"
> to the PDC for DOM1, then a (potentially valid) DOM2\fred
> login would be denied.
Makes sense and actually solves another issue with NT I hate. That if you
happen to have two separate domains and have the same password on each,
you get authenticated without warning.
Example, if I have two PDCs in different domains but foolishly give
Administrator the same password on both, you get full access to both
domains without warning. This shocked me once when I set up a test PDC on
a test domain and found I could administer our main domain from it.
<whine>but it doesn't solve MY problem!</whine>
> Maybe we could make it a parameter "force domain" or
> something to allow the Samba admin to force all domain
> logins to appear to be from a certain domain ?
That would be very useful to us and others from what I have heard. It will
also add yet another config possibility to Samba to allow it to work
better for the end users while driving some Ziff-Davis reporters to whine
about how Samba isn't easy to administer because there are too many
configuration options! :-)
If not, I'll just keep a patching!
Thanks.
--
Ken Weaverling (weave @ dtcc.edu) WHOIS: KJW
Manager of Computer Support and Applications
Delaware Technical & Community College
More information about the samba-technical
mailing list