That troublemaker again (replace domain logons =, domain master=)

Andrew Bartlett abartlet at
Sun Nov 11 20:37:02 GMT 2001

"Gerald (Jerry) Carter" wrote:
> On Mon, 12 Nov 2001, Andrew Bartlett wrote:
> > Ok, next up on the shooting range:
> I still haven't responded to the previous thread.
> Is it closed already?  You people work over the weekend too much :-)
> > To allow the work I am doing for plugable authentication paramaters I
> > have already proposed to remove the 'server' and 'domain' options from
> > security=, and to replace them with an 'auth order = ' paramater.
> >
> > Unfortunetly Samba is a dependency hell in this area - we make up a
> > 'server role' paramater already, based on particular values of other
> > paramaters.  What I am proposing to do is to change this around:
> >
> > Create a new 'server role = ' paramater, with possible options:
> > PDC
> > BDC
> > DMB
> We'll first off, the DMB does not really belong in this list.
> It is browsing related and not authentication.

This is actually coming from the other end of things.  This paramater
doesn't concern itself with authenticaion, it is an nmbd paramater.  The
problem I have is that nmbd is currently dependent on where *smbd* is
checking its passwords, and it should have nothing to do with it.

The crazy thing in that we don't actually have any paramters to
determine if PDC services are available, only settings to determine if
they are advertised.  I'm trying to remove the dependency of nmbd on
security =, and I was told that this was the best way to do it.

> >
> > This will replace the current 'doamin logons =' and 'domain master ='
> > paramaters, and remove the dependeny on 'security = ', which is where my
> > actual work is.
> Why did you exclude the LMB related parameters?  Although I don't think
> browsing should be confused in here at all.  Could you please
> explain the meaning of each server role and how that relates to
> current functionality.  What can we do in 2.2. that we won't
> be able to do in 3.0 and vice-versa.

Apart from the possiblity of providing sane defaults for the 'auth
order' paramater, the idea was that it would replace 'domain master ='
and 'domain logons = ' and allow 'security=server' and 'security=domain'
to be removed.

As far as I can tell, no functionaity is lost but the flexability of the
new 'auth order' paramater is gained.

> > Instead I am much more inclined to a 'conversion script' arrangement.
> > This is however somthing that we will need to look at over the next
> > few months before release, and I am open to proposals in this area.
> A conversion script is fine as long as someone will write it.
> And i think that those that rework the params file significantly
> should have a major role in this :-)

OK, I set myself up for that one...  

If sombody can show a sane way to implement backward-compatablity on
this, I'll be happy to see it.  It just seemed like it would a little
too messy.  We will see.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list