Using Samba -- domain logins

David Collier-Brown davecb at canada.sun.com
Thu Jan 6 14:20:49 GMT 2000


  Ok, it's thursday, and the domains logins discussion appears to
have settled down, time to summarize:

I said:
>         1) It doesn't work at all in security = share
>         2) It works in security = user, server and domain
> At the lowest level, it does two things: if turned on, 
>        it advertizes  "internet group" <1c> names.  If turned 
>        off, it rejects domain login packets from clients.

Luke Kenneth Casson Leighton added:
> only if encrypt passwords = yes.

Steve Langasek noted:
| I've had some success using "domain logons = yes" on a machine that
was not
| the PDC for a domain, so the "domain logons" and "domain master"
options do
| appear to be completely orthogonal

Eric s said:
| BDC: domain logons = yes, domain master = no, encrypt passwords =
yes.
| PDC: domain l      = y,   dm            = y,  ep                = y.

Gerald Carter said:
| I have also heard that this works.  However, intuitively this 
| should make Samba a BDC.  Problem is that there is no fail 
| over provided as Samba does not cache a copy of the PDC's 
| SAM.

Steve Langasek raised another, related, question:
| But domain logons = yes is also used to control whether 'network
logons'
| are accepted from Win9x machines.  Does this represent overloading
of the
| option's meaning?  
	
	My opinion is yes: it not only says "accept logins", it says
	"and send <1c> names".

	Next question from me: if we're not a PDC/BDC, and
	aren't trying to be either, just a fileserver using
	encrypted passwords with security = user, should we 
	be able to serve domain logins to Windows clients?
	Ditto if we are using security=server?

Luke Kenneth Casson Leighton seems to agree:
| I have a site that does this now.
|    security = {domain, server}
|   domain logons = yes
| required encrypted passwords ...

and Gerald Carter hsd reason to think this Might Be Bad (;-)) 
| "domain logons" also controls NT logons.  Can someone give me 
| a valid set of circumstances where you would want Samba to 
| validate win9x logons and not act as a BDC?

| In my opinion (at the moment) the two are inseparable.  A Samba 
| server (using accounts from a PDC) validating Win9x logons
| should also validate NT client logons (and this is a BDC).

Steve Langasek replied:
| As I understand it, there is nothing in the meaning of a Win9x logon
which
| *requires* the machine serving logons to be an NT domain controller,
even
| if an NT domain is present.
| It seems logical to me that some would want to separate out these
two
| functions. 

	So we have both a documentation and a technical question:
	1) should sending <1c> be separated from allowing
		win clients to do domain logins?
	2) do we say "don't support domain logins in 2.0.x" in
		the documentation?

	And a related question: at some point we're going to want
	a "what's new in 2.1" section in chapter 1, and integration of
	all the 2.0 additions into the body of the book. What year and
	quarter are we looking at?  

--dave
-- 
David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
Willowdale, Ontario   | //www.oreilly.com/catalog/samba/author.html
Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at canada.sun.com


More information about the samba-technical mailing list