Patch: convenience feature for non-domain clients
Andrew Bartlett
abartlet at samba.org
Wed Oct 9 21:22:00 GMT 2002
Gerald Carter wrote:
>
> On Wed, 9 Oct 2002, Jon. Hallett wrote:
>
> > The background to this is that our Samba servers use "security = domain"
> > authentication for user accounts, but not all our Windows clients are
> > members of the domain, with the result that the clients often want to map
> > shares using non-domain "clientname\user" style accounts.
> >
> > The patch implements an "ignore client domain" option which forces Samba to
> > use the server's own domain when authenticating users, ignoring the domain
> > part of the username provided by the client.
>
> Just to throw my hat in the ring here, i'm not sure i like this for the
> reason that if a user sends DOMAIN\user i think we should assume that's
> what they really meant. Interesting though, if I run
>
> net use * \\server\jerry /user:jerry
>
> from a WinXP home box, i though the domain used was the local
> machine. So it seems like this patch is unnecessary in user mode.
> Is that true? Is it only applicable in domain mode?
>
> So a user say i am MACHINE\user and we try to authenticate then
> as DOMAIN\user against the PDC whcih could be someone they didn't
> mean? It just seems like too many people behind the curtain.
> I would voite better user education (lot of good that will do me).
In HEAD and 3.0 the auth subsystem uses the value of 'allow trusted
domains' to determine if it should change the client-supplied domain.
If that smb.conf value is false, the domain is replaced with the local
domain.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list