Winbind Default Auth Domain?

[Christopher R. Hertel]

> [whoops - forgot to cc the list]
> 
> Kevin Colby writes:
> 
> > Is there any existing method for setting a default auth domain
> > for winbind?
> 
> The 'workgroup' parameter in the smb.conf file should specify
> which domain winbind authenticates against.

Tim,

Yes, that would be the normal default.  During discussions regarding the
libsmbclient library Richard Sharpe suggested the development of an 
SMB:// URL format.  As part of that, we discovered the disparity between 
'workgroup of which the system is a member' and 'NT Domain used for 
authentication'.

In most cases, these are the same but there are large known installations
which centralize authentication to a single NT Domain and then use trust
relationships to allow users to access services on their local NT Domains
(or on other, remote NT Domains). 

So, the suggestion was made that we add a[n]

  [CLIENT ]AUTH[ORIZATION] DOMAIN

parameter to smb.conf.  Kevin's suggestion provides more reason for 
adding this parameter.

Chris -)-----

> > Are there any larger issues with such a feature?
> 
> I don't think Samba can be a member of multiple domains although
> it may be possible to hack something up.  There's no reason why
> winbindd can't create users that are in many unrelated domains
> and then use security=server to authenticate them, apart from the
> whole security=server business being inherently dodgy.
> 
> > We are hoping to utilize and/or implement as much here.
> > Does this relate (or should it) to smbclient's "client auth
> > domain"?
> 
> I'm not familiar with this parameter.
> 
> 
> Tim.
> 
> 


-- 
Christopher R. Hertel -)-----                   University of Minnesota
crh at nts.umn.edu              Networking and Telecommunications Services

    Ideals are like stars; you will not succeed in touching them
    with your hands...you choose them as your guides, and following
    them you will reach your destiny.  --Carl Schultz