Patch: convenience feature for non-domain clients

Jon. Hallett jjh at
Thu Oct 10 10:44:01 GMT 2002

At 14:13 09/10/2002 -0500, Gerald Carter wrote:

>Just to throw my hat in the ring here, i'm not sure i like this for the
>reason that if a user sends DOMAIN\user i think we should assume that's
>what they really meant.  Interesting though, if I run
>         net use * \\server\jerry /user:jerry
>from a WinXP home box, i though the domain used was the local
>machine.  So it seems like this patch is unnecessary in user mode.
>Is that true?  Is it only applicable in domain mode?

That's right, the patch is only useful in domain mode.  When the Samba 
server hands off a MACHINE\user to the domain controller for 
authentication, the domain controller will reject the user for not being in 
the domain.  That won't happen in user mode -- Samba appears to just ignore 
the domain presented by the client.

>So a user say i am MACHINE\user and we try to authenticate then
>as DOMAIN\user against the PDC whcih could be someone they didn't
>mean?  It just seems like too many people behind the curtain.

It isn't a particularly elegant feature, that's for sure, but it is really 

As you point out above, when in user mode Samba essentially ignores 
domains.  At our site, we ran Samba in user mode for several years, but 
then for all the usual reasons we converted to domain mode (via server 
mode, which we found too unreliable).

What we wanted from Samba in domain mode was the same user-mode-style 
domain-free behaviour but with the authentication coming from our domain 

What we got was correct domain-style authentication.  We didn't fancy 
breaking everyone's shares (that'd be ~500 people to apologise to and the 
same number of clients to fix) so we went for a convenience feature to tide 
us over until we are in a position to do things properly.

>I would voite better user education (lot of good that will do me).

:-)  One disadvantage of working at a University is that everybody thinks 
they are quite well educated enough already...


More information about the samba-technical mailing list