Winbind Default Auth Domain?
Christopher R. Hertel
crh at nts.umn.edu
Tue Jan 23 19:05:14 GMT 2001
> [whoops - forgot to cc the list]
> Kevin Colby writes:
> > Is there any existing method for setting a default auth domain
> > for winbind?
> The 'workgroup' parameter in the smb.conf file should specify
> which domain winbind authenticates against.
Yes, that would be the normal default. During discussions regarding the
libsmbclient library Richard Sharpe suggested the development of an
SMB:// URL format. As part of that, we discovered the disparity between
'workgroup of which the system is a member' and 'NT Domain used for
In most cases, these are the same but there are large known installations
which centralize authentication to a single NT Domain and then use trust
relationships to allow users to access services on their local NT Domains
(or on other, remote NT Domains).
So, the suggestion was made that we add a[n]
[CLIENT ]AUTH[ORIZATION] DOMAIN
parameter to smb.conf. Kevin's suggestion provides more reason for
adding this parameter.
> > Are there any larger issues with such a feature?
> I don't think Samba can be a member of multiple domains although
> it may be possible to hack something up. There's no reason why
> winbindd can't create users that are in many unrelated domains
> and then use security=server to authenticate them, apart from the
> whole security=server business being inherently dodgy.
> > We are hoping to utilize and/or implement as much here.
> > Does this relate (or should it) to smbclient's "client auth
> > domain"?
> I'm not familiar with this parameter.
Christopher R. Hertel -)----- University of Minnesota
crh at nts.umn.edu Networking and Telecommunications Services
Ideals are like stars; you will not succeed in touching them
with your hands...you choose them as your guides, and following
them you will reach your destiny. --Carl Schultz
More information about the samba-technical