Changing Domains from NT4 / AD 2000

MCCALL,DON (HP-USA,ex1) don_mccall at
Thu Apr 12 14:55:12 GMT 2001

Hi Kirk,
Yes, the username map works the same in security = server as security =
domain.  So if security = domain and your username map has been working for
you so far, modifying 
security=domain to security=server should be pretty transparent to your
Of course, security = domain IS the preferred method.  I remember you
mentioned that you
are using 2.0.6;  Jeremy posted a patch to 2.0.7 last night (he was the one
that originally wrote it!) that fixes the problem I mentioned.  And 2.0.7
plays better with Win2k clients. 
So at some point you might consider moving up to 2.0.7 & this patch and
going back into domain mode, OR go up to 2.2.x (which has this problem fixed
as well) when it becomes released/stable.

(Thanks again, Jeremy for posting that patch...)

BTW, Both Richard Sharp's "Special Edition Using Samba" and the OReilly
"Using Samba" have nice sections describing the differences between domain
and server level security, and why you would prefer one to the other, if
you're interested.  I personally couldn't live without either one of these

Hope this helps,

-----Original Message-----
From: Kirk Shimek [mailto:Kirk.Shimek at]
Sent: Thursday, April 12, 2001 9:10 AM
To: don_mccall at; samba at;
samba-technical at
Subject: RE: Changing Domains from NT4 / AD 2000

Thanks Don,

A follow on config question.  I understand the work around . . . how do I
handle the fact that my users' NT account names are not the same as the UNIX
account names?  i.e. NT uses shimekk / whereas UNIX uses kshimek, AND ALL
the accounts already exist.  Does the user-name-map option work here.  I'm
already using it.  But before I affect ~300 users, I would like to know the
effects, if any.

Also, I suppose to make the change to security = server I need to modify the
smb.conf file and shutdown and restart smbd and nmbd . . .correct.

Again, thanks for the quick response.  You guys rock at SAMBA!

Hi Kirk,
Don't know if this is your problem or not, but when working with 2.0.7 on 
HP-UX 11.0, we found this irregularity (only for nt users that had been
moved from
an NT 4.0 domain to a Win2k Domain):
When Windows users are migrated from Windows NT to Windows 2000 
domains, to maintain backward access permissions, the migration tools 
add whats called as SID history to the users accounts. 
When Samba server is used in domain authentication mode with migrated 
users the authentications fails. 
The problem is that due to the addition of old security ids (called as 
SIDHistory) to the user accounts, when Samba authenticates a user 
against a Windows 2000 server, if the user is authenticated properly, 
Win2k returns more information than what samba expects. Consequently 
Samba fails with buffer overflow error.

You should be able to determine if this is happening to you by turning up
log level and reproducing the failure, then looking thru the log file for a 
buffer overflow...

When a user is migrated from Windows NT to Windows 2000 running
in native mode, Win2K preserves the users old SID information in
a Win2K native attribute called SID History.
When samba authenticates such a user successfully against the
Windows 2000 server (giving rightusername and password), Windows 
2K appends SID history to the response. Samba isn't ready (not coded) 
to handle the extra SID information returned by Win2K servers, so it fails.
Work around is to use the the Samba in server security mode.

Kirk Shimek Information Systems
Systems Engineer - UNIX Administrator
TRW Automotive Electronics
Body Control Systems
507-457-3750 ext.8241

" . . . for it is in one's speech, that the bent of one's mind is revealed."
Book of Sirach

To unsubscribe from this list go to the following URL and read the

More information about the samba-technical mailing list