Using Samba -- domain logins
David Collier-Brown
davecb at canada.sun.com
Thu Jan 6 14:20:49 GMT 2000
Ok, it's thursday, and the domains logins discussion appears to
have settled down, time to summarize:
I said:
> 1) It doesn't work at all in security = share
> 2) It works in security = user, server and domain
> At the lowest level, it does two things: if turned on,
> it advertizes "internet group" <1c> names. If turned
> off, it rejects domain login packets from clients.
Luke Kenneth Casson Leighton added:
> only if encrypt passwords = yes.
Steve Langasek noted:
| I've had some success using "domain logons = yes" on a machine that
was not
| the PDC for a domain, so the "domain logons" and "domain master"
options do
| appear to be completely orthogonal
Eric s said:
| BDC: domain logons = yes, domain master = no, encrypt passwords =
yes.
| PDC: domain l = y, dm = y, ep = y.
Gerald Carter said:
| I have also heard that this works. However, intuitively this
| should make Samba a BDC. Problem is that there is no fail
| over provided as Samba does not cache a copy of the PDC's
| SAM.
Steve Langasek raised another, related, question:
| But domain logons = yes is also used to control whether 'network
logons'
| are accepted from Win9x machines. Does this represent overloading
of the
| option's meaning?
My opinion is yes: it not only says "accept logins", it says
"and send <1c> names".
Next question from me: if we're not a PDC/BDC, and
aren't trying to be either, just a fileserver using
encrypted passwords with security = user, should we
be able to serve domain logins to Windows clients?
Ditto if we are using security=server?
Luke Kenneth Casson Leighton seems to agree:
| I have a site that does this now.
| security = {domain, server}
| domain logons = yes
| required encrypted passwords ...
and Gerald Carter hsd reason to think this Might Be Bad (;-))
| "domain logons" also controls NT logons. Can someone give me
| a valid set of circumstances where you would want Samba to
| validate win9x logons and not act as a BDC?
| In my opinion (at the moment) the two are inseparable. A Samba
| server (using accounts from a PDC) validating Win9x logons
| should also validate NT client logons (and this is a BDC).
Steve Langasek replied:
| As I understand it, there is nothing in the meaning of a Win9x logon
which
| *requires* the machine serving logons to be an NT domain controller,
even
| if an NT domain is present.
| It seems logical to me that some would want to separate out these
two
| functions.
So we have both a documentation and a technical question:
1) should sending <1c> be separated from allowing
win clients to do domain logins?
2) do we say "don't support domain logins in 2.0.x" in
the documentation?
And a related question: at some point we're going to want
a "what's new in 2.1" section in chapter 1, and integration of
all the 2.0 additions into the body of the book. What year and
quarter are we looking at?
--dave
--
David Collier-Brown, | Always do right. This will gratify some people
185 Ellerslie Ave., | and astonish the rest. -- Mark Twain
Willowdale, Ontario | //www.oreilly.com/catalog/samba/author.html
Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at canada.sun.com
More information about the samba-technical
mailing list