Using Samba -- domain logins

David Collier-Brown davecb at canada.sun.com
Tue Jan 4 20:03:12 GMT 2000 

  Two folks have asked this question now, and no-one on the
docs list could comment, so I'm afraid I'll have to ask the
experts...

Kevin Bingham of O'Reilly Book Support forwarded this question
from Jason Podgorny <jason at earthcafe.com> :
> I have a question on the domain logons option as presented in your book
> Using Samba.  According to the example on page 171 the domain logons 
> option should be configured as yes when using the Domain-level Security. 
> However, on page 190-191 where is gives more information on the domain
> logons option, it says that the machine must be in user-level security and
> be acting as a PDC for this option to function.  This information seems
> contradictory.  According to information that I have found in other places,
> it also says that this option can be used with server-level security. 

        Sure: it's almost independant of security level:
        1) It doesn't work at all in security = share
        2) It works in security = user, server and domain

[Question the code implies this is true: is it?
That's Jason's primary question, which I discuss below.]

        3) It's required on a Samba domain master.

        At the lowest level, it does two things: if turned on, 
        it advertizes  "internet group" <1c> names.  If turned 
        off, it rejects domain login packets from clients.

The man page says:
domain logons (G)
If set to true, the Samba server will serve Windows 95/98 Domain
logons for the workgroup it is in. For more details on setting up 
this feature see the file DOMAINS.txt in the Samba documentation 
directory docs/ shipped with the source code.

Note that Win95/98 Domain logons are NOT the same as Windows
NT Domain logons. NT Domain logons require a Primary Domain Controller
(PDC) for the Domain. It is intended that in a future release Samba
will be able to provide this functionality for Windows NT clients
also.

And DOMAINS.txt says:
NOTE: You must be using "security = user" or "security = server" for
domain logons to work correctly.  Share level security won't work
correctly.

        Insofar as I can see, it also works for security = domain,
        so that a PC client can do a domain login to a Samba
        server that's a member of the domain.

        I suspect the discussion of domain logins on page 190
        (section 6.5.3.1 domain logons in
       
http://www.oreilly.com/catalog/samba/chapter/book/ch06_05.html)
        should say, at the most:
---
This option configures Samba to accept domain logons. When a client
successfully logs on to the domain, Samba will return a special token
to the client that allows the client to access domain shares without
consulting the PDC again for authentication. Note that the Samba
machine must either be a member of the domain or the PDC of the domain
for this option to function. In addition, Windows machines will expect
a [netlogon] share to exist on the Samba server (see Section 6.5.1,
Configuring Samba for Windows Domain Logons," earlier in this
chapter).
---

The code says:
---
void add_domain_names(time_t t)
        ...
        /* Do the "internet group" - <1c> names. */
        if (lp_domain_logons())
                add_logon_names();

        if(lp_domain_master())
                ...
               
become_domain_master_browser_<mode>(global_myworkgroup);
----and-----
void process_logon_packet(struct packet_struct *p,char *buf,int len,
                          char *mailslot)
  if (!lp_domain_logons())
  {
    DEBUG(3,("process_logon_packet: Logon packet received from IP %s
and domain logons are not enabled.\n", inet_ntoa(p->ip) ));
    return;
  }
---

        Samba folks: the requirement "must be in user-level 
        security ( security = user) and must be the PDC" used to be 
        trivially true, but from poking at the 2.0.6 code with cscope,
        it looks as if it should work if you were a member server. 
        As we're not advertizing PDC in 2.0.x, this requirement
        is out of place (It was introduced to the book
        around version 1.9.18 of Samba), and arguably shouldn't be 
        discussed at all.

--dave
-- 
David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
Willowdale, Ontario   | //www.oreilly.com/catalog/samba/author.html
Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at canada.sun.com

More information about the samba-technical mailing list