Patch: convenience feature for non-domain clients
jjh at ecs.soton.ac.uk
Thu Oct 10 10:44:01 GMT 2002
At 14:13 09/10/2002 -0500, Gerald Carter wrote:
>Just to throw my hat in the ring here, i'm not sure i like this for the
>reason that if a user sends DOMAIN\user i think we should assume that's
>what they really meant. Interesting though, if I run
> net use * \\server\jerry /user:jerry
>from a WinXP home box, i though the domain used was the local
>machine. So it seems like this patch is unnecessary in user mode.
>Is that true? Is it only applicable in domain mode?
That's right, the patch is only useful in domain mode. When the Samba
server hands off a MACHINE\user to the domain controller for
authentication, the domain controller will reject the user for not being in
the domain. That won't happen in user mode -- Samba appears to just ignore
the domain presented by the client.
>So a user say i am MACHINE\user and we try to authenticate then
>as DOMAIN\user against the PDC whcih could be someone they didn't
>mean? It just seems like too many people behind the curtain.
It isn't a particularly elegant feature, that's for sure, but it is really
As you point out above, when in user mode Samba essentially ignores
domains. At our site, we ran Samba in user mode for several years, but
then for all the usual reasons we converted to domain mode (via server
mode, which we found too unreliable).
What we wanted from Samba in domain mode was the same user-mode-style
domain-free behaviour but with the authentication coming from our domain
What we got was correct domain-style authentication. We didn't fancy
breaking everyone's shares (that'd be ~500 people to apologise to and the
same number of clients to fix) so we went for a convenience feature to tide
us over until we are in a position to do things properly.
>I would voite better user education (lot of good that will do me).
:-) One disadvantage of working at a University is that everybody thinks
they are quite well educated enough already...
More information about the samba-technical