Overriding domain in security=domain mode?

Martin Buck martin.buck at ascom.ch
Mon May 7 12:58:11 GMT 2001

I noticed this rather annyoing behaviour when authenticates with another
DC: If you try to connect to a samba share from an NT4 machine in a
different domain (or none at all, i.e. domain name = name of NT4
machine), you always have to use the domain\user syntax when specifying
the user name to connect as. If you don't do that, the NT4 machine will
send its own name as the domain name which samba will forward to the DC,
which, of course, won't know the user in this domain and return

You probably say this is the expected behaviour, but if you try to
connect to a share on the DC (NT4 server in this case) directly, you
don't have to supply a domain name, even if the client is in a different
one. It looks like NT server will always try its own domain name as
well, even if the client asked for a different one.

Modifying samba to send its own domain name to the DC instead of the one
the client asked for looks like a simple change to password.c. The
question is: Should this be done only when the first attempt with the
client's domain failed, should it be done always (under the assumption
that the DC won't authenticate accounts in other domains anyway), should
it be configurable? Or is it a bad idea and shouldn't be done at all?

I'll submit a patch if somebody agrees that this would be a useful

Martin Buck
Ascom Systec AG, Applicable Research & Technology
Gewerbepark, CH-5506 Maegenwil
Phone: +41-62-889-5292, Fax: -5290

More information about the samba-technical mailing list