Overriding domain in security=domain mode?

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Thu May 10 13:59:27 GMT 2001 

Hey, Martin!
I didn't say it wouldn't be USEFUL ;->
Actually I think it would be a very nice feature to have configurable in
smb.conf,
just so long as the option were well documented and noted that setting the
option to 
yes causes samba to perform in a manner inconsistent (perhaps better) with a
true
'member server'.  But whether it should go into the release branch would be
up to 
the Samba team members.  There might be some concern that this would be
viewed as a 
'security hole', since samba would essentially be lying to the DC in the rpc
transactions
on behalf of the client.  It's one thing for a PDC to internally fall back
to checking its own DOMAIN SAM for a user that comes in from a different
domain; its quite another for an interim machine to deliberately 'spoof'
part of the logon credentials a client presents
when representing that client to the Authentication authority (the DC).  

Hope this helps,
Don

-----Original Message-----
From: Martin Buck [mailto:martin.buck at ascom.ch]
Sent: Thursday, May 10, 2001 7:41 AM
To: MCCALL,DON (HP-USA,ex1)
Cc: samba-technical at lists.samba.org
Subject: Re: Overriding domain in security=domain mode?


"MCCALL,DON (HP-USA,ex1)" wrote:
> To compare apples to apples, you should really be testing to see whether
> your nt client in domainA can connect to a MEMBER server in domainB, not
one
> of the DC's itself; that way the
> MEMBER server will perform similar rpc operations to the domainB DC as
Samba
> does.  It would be interesting to see if in this senario, you had to use
the
> domainB\username syntax as well...

Good point, if I try to connect to a member server instead of the DC, I
have to use domainB\username as the username. So Samba and NT behave
identical in that case and Samba does everything right.

Unfortunately, that doesn't solve my original problem. Teaching all my
users to use the domain\username syntax is close to impossible, so I
will probably hack my samba server nevertheless to automatically replace
the domain.

However, it looks like there is not that much interest in that feature
(I only had one positive reply), so I'll probably stick with my hack
instead of implementing the clean solution that can be enabled/disabled
in smb.conf. If anybody thinks this is a useful feature that should be
part of the standard Samba, complain now and I might change my mind.

Martin
-- 
Martin Buck
Ascom Systec AG, Applicable Research & Technology
Gewerbepark, CH-5506 Maegenwil
Phone: +41-62-889-5292, Fax: -5290

More information about the samba-technical mailing list