That troublemaker again (replace domain logons =, domain master=)

Andrew Bartlett abartlet at
Mon Nov 12 06:27:05 GMT 2001

"Gerald (Jerry) Carter" wrote:
> On Mon, 12 Nov 2001, Simo Sorce wrote:
> > It is much more easier to understand the andrew's table than the
> > domain master/logons combination from an administrator point of view.
> > Sure black belts in smb.conf would find it easy, but having parameters
> > the clearly states what samba will be are more understandable. and yes
> > DMB is not so usefull but is here to provide you a way to use any
> > combination of the two parameters (to avoid loss in configurability).
> >
> > We discussed this with volker at CIFS too and I'm for this change,
> > much more clear IMHO.
> I disagree.  It is simply an alternative representation.  Why not
> simply have documentation which presents this chart?  Removing
> the "security" parameter will break all existing
> documentation, configuration files, and third party tools.
> Not to mention making sysadmins relearn how to configure Samba.
> For what?  A chart that may or may not be clearer to admins?
> The payoff is debateable and not big enough.

As you will see in my other e-mail, the problem is not at the security=
end of things.  At that end, I don't really care if we continue to have
'secruity=domain' and 'secruity=server' parameters that just set sane
defaults for 'auth order'.  

However, there is a problem on the nmbd side of things.  Normally I
simply don't care about nmbd, but nmbd is blocking my changes....

The problem is that without looking at 'security =' nmbd is unable to
correctly list itself as an NT PDC/BDC/Domain member/standalone.  As
such I proposed to tell nmbd directly (server role =), and (as a further
addition, not actually required) to force the value of two existing
paramaters 'domain logons =' and 'domain master =' to their only
possible values in this situation.

The chart (showing how we get server role at present) is as follows:

  Domain Master    Domain Logons      Security
      Y                  Y             USER     = PDC
      N                  N             DOMAIN   = BDC
      N                  N             SERVER   = BDC
      N                  N             DOMAIN   = DOMAIN MEM
      N                  N             USER     = STANDALONE
      *                  *             SHARE    = STANDALONE

Not in particular that it is quite possible to construct a BDC without
using secuirty=server/domain, but we can't advertise this with the
current crippled arrangement.

I hope this makes the dependency on security= clearer, and therefore why
we need 'server role' to specify this explicitly.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list