libsmbclient: Browsing and a URI spec?

Christopher R. Hertel crh at
Thu Jan 4 23:28:05 GMT 2001

> Yes, but it has also been pointed out that an NT domain is also workgroup.
> I know the smb.conf parameter is named "workgroup".  That's immaterial.

An NT Domain is a superset of a workgroup.  By definition, a workgroup
does not have a domain controller, but an NT Domain does.  In Microsoft's
world, the DMB is nailed to the PDC, so a workgroup is an organizational
unit on a local LAN.  "A domain is a group of servers that share common
security policy and user account databases."  That last bit verbatim from 
MS docs.

> I would answer the question myself, but I don't think I fully understand
> the scenario where there would be a difference, and that is the only
> scenario where this matters.

Mike's scenario is this:  In a large company, there are many NT Domains. 
Users configure their workstations to be associated with the local NT
Domain.  However, there is one single authentication domain.  All users 
must login against the auth database in the central domain.  The central 
domain then provides trust relationships so that the servers in the 
user's domain can 'trust' the user's credentials.

Thus, you browse the NT domain that is supported in your local office, but
you authenticate against the NT domain in the main office (which may be
half a world a way). 

>  In such a scenario, where you want to browse
> to "browsewg" and authenticate off "authdm"'s DC, which name is more
> likely to be the "workgroup" listed in smb.conf and used by the Samba
> server processes?  Since Samba may well be a domain member, passing on
> authentication of users itself, would it not have "workgroup=authdm"?
> I think the details of such a situation may be helpful.

This is all really much less important than we're making it sound, but it 
is good to work things out until we're on the same page.

My thinking is this.  The WORKGROUP parameter provides both the browsing 
domain (which many also call a workgroup) and the authentication domain.  
The default on almost all systems is that these are the same.

If you are in the somewhat odd situation that you must authenticate to a 
different NT domain, then you override the WORKGROUP parameter for 
*authentication only* by using the AUTH DOMAIN parameter.

Make any more sense?

Chris -)-----

Christopher R. Hertel -)-----                   University of Minnesota
crh at              Networking and Telecommunications Services

    Ideals are like stars; you will not succeed in touching them
    with your choose them as your guides, and following
    them you will reach your destiny.  --Carl Schultz

More information about the samba-technical mailing list