Overriding domain in security=domain mode?

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Tue May 8 21:35:49 GMT 2001

Hi Martin,
Well, it shouldn't be done 'always', as Samba in security = domain mode 
pays attention to a smb.conf variable called 'allow trusted domains'
and will send over the domain\username that it receives from the client, so 
that the NT server, if it has a trust with that domain, WILL authenticate
If you set 'allow trusted domains' = no, then if samba gets a request from a
in a different domain than the one samba is a member of, it doesn't even
contacting the password server, but denies the validation at once.

By the way, it seems that if samba is in security = server mode, then the
you speak of does not manifest itself; that is, even though we do the
netlogon attempt
sending the username and domain to the password server, the password server
positively, even though the domains differ (much like your experience when
DIRECTLY to the DC from the nt client in a different domain).  
I believe this is because in security = domain mode, we (samba) are acting
server, and use rpc calls to get our clients authenticated, as opposed to
security = domain mode, where we are basically actually trying to logon on
behalf of the client directly to the password server to verify

To compare apples to apples, you should really be testing to see whether
your nt client in domainA can connect to a MEMBER server in domainB, not one
of the DC's itself; that way the 
MEMBER server will perform similar rpc operations to the domainB DC as Samba
does.  It would be interesting to see if in this senario, you had to use the
domainB\username syntax as well...

Hope this helps,
 "Reason, not volume, is the primary
differentiator between a discussion, and an

-----Original Message-----
From: Martin Buck [mailto:martin.buck at ascom.ch]
Sent: Monday, May 07, 2001 8:58 AM
To: samba-technical at lists.samba.org
Subject: Overriding domain in security=domain mode?

I noticed this rather annyoing behaviour when authenticates with another
DC: If you try to connect to a samba share from an NT4 machine in a
different domain (or none at all, i.e. domain name = name of NT4
machine), you always have to use the domain\user syntax when specifying
the user name to connect as. If you don't do that, the NT4 machine will
send its own name as the domain name which samba will forward to the DC,
which, of course, won't know the user in this domain and return

You probably say this is the expected behaviour, but if you try to
connect to a share on the DC (NT4 server in this case) directly, you
don't have to supply a domain name, even if the client is in a different
one. It looks like NT server will always try its own domain name as
well, even if the client asked for a different one.

Modifying samba to send its own domain name to the DC instead of the one
the client asked for looks like a simple change to password.c. The
question is: Should this be done only when the first attempt with the
client's domain failed, should it be done always (under the assumption
that the DC won't authenticate accounts in other domains anyway), should
it be configurable? Or is it a bad idea and shouldn't be done at all?

I'll submit a patch if somebody agrees that this would be a useful

Martin Buck
Ascom Systec AG, Applicable Research & Technology
Gewerbepark, CH-5506 Maegenwil
Phone: +41-62-889-5292, Fax: -5290

More information about the samba-technical mailing list