That troublemaker again (replace domain logons =, domain master=)

Andrew Bartlett abartlet at
Sun Nov 11 21:38:01 GMT 2001

"Gerald (Jerry) Carter" wrote:
> On Mon, 12 Nov 2001, Andrew Bartlett wrote:
> > > We'll first off, the DMB does not really belong in this list.
> > > It is browsing related and not authentication.
> >
> > This is actually coming from the other end of things.  This paramater
> > doesn't concern itself with authenticaion, it is an nmbd paramater.  The
> > problem I have is that nmbd is currently dependent on where *smbd* is
> > checking its passwords, and it should have nothing to do with it.
> >
> > The crazy thing in that we don't actually have any paramters to
> > determine if PDC services are available, only settings to determine if
> > they are advertised.  I'm trying to remove the dependency of nmbd on
> > security =, and I was told that this was the best way to do it.
> Please point me to the code in nmbd you are referring (or a string
> to grep for).

I refer you to the patch attached to the original message.  In
particular grep for lp_server_role, the not-yet-paramater I changed into
a real paramater in my patch.

lp_server_role() depended on lp_security() and lp_domain_logons().  The
dependency on lp_secuirty() was problomatic.

> > Apart from the possiblity of providing sane defaults for the 'auth
> > order' paramater, the idea was that it would replace 'domain master ='
> > and 'domain logons = ' and allow 'security=server' and 'security=domain'
> > to be removed.
> >
> > As far as I can tell, no functionaity is lost but the flexability of the
> > new 'auth order' paramater is gained.
> So PDC means we register DOMAIN<1c> and DOMAIN<1b>.  DMB means we register
> DOMAIN<1b>.  BDC means ?????  I don't see how we can register only
> DOMAIN<1c> and not be a BDC under your setup. Now granted I'm not
> necessarily saying this is a bad thing, but am pointing out my original
> question.  Please provide a table of how the new functionality maps
> onto the old parameters.  I know how to configure Samba very well
> in 2.2, and need you to hold my hand an articulate what advantage
> a "server role" parameter has.  As well as how this affects the overhead
> of configuring and managing a Samba server.

It should decrese the overhead, becouse the option is clear.  No more
'domain logons = pdc, but not if domain master = no, then its a bdc'
kind of stuff.

                   PDC        BDC       Standalone (also member)     DMB
domain master =     Y          N                 N                    Y
domain logons =     Y          Y                 N                    N

> > OK, I set myself up for that one...
> >
> > If sombody can show a sane way to implement backward-compatablity on
> > this, I'll be happy to see it.  It just seemed like it would a little
> > too messy.  We will see.
> I'll need to understand it more and think some.


Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list