[Samba] password server is not connected

David Bear David.Bear at asu.edu
Wed Jan 29 03:13:24 GMT 2003

bringing the discussion back online -- thanks jerry for the responses.
please see below..

On Tue, Jan 28, 2003 at 10:56:24AM -0600, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> On Mon, 27 Jan 2003, David Bear wrote:
> > thanks for the reply.  I was not aware that I could use
> > password server = somewindowserver
> > with security = domain
> Yup.  In fact, in Samba 3.0 you can use 
> 	password server = DC1 DC2 *
> which will fail over to autolookups if DC1 and DC2 are unavailable.
> > I would like to be able to use domain security.  That buys me domain
> > functionality with machine trusts.  However, I DO NOT control the NT
> > domain that we authenticated users against.  So, my domain controller
> > would be in the position of 1) storing and authenticating MACHINE
> > accounts in its OWN smbpasswd file and 2) authentication users against a
> > different smb server (in this case a windows active directory) which I
> > do not control.
> You have a Samba PDC that is authenticating against a Windows NT PDC?
> No.  This would not be a good configuration.  Why do you need Samba as a 
> PDC in this case?
Actually this is a very valid scenario for us.  We have central IT
that provided AD and kerberos authentication services.  However, they
do not create administrative principal/identities for us.  They only
create user accounts.  (and they manage all the links for password
updates)  This leaves us with a very powerfull service but powerless.

Now I could bring up a windows AD and become an OU in the grand
unified microsoft directory.  But that has side effect that I don't
want -- ie I don't want to rely on microsoft for something as
important as directory service.

What I prefer is to use  CENTRAL account managment services for
authenticating the unwashed masses.  Then I want to create my own set
of administrative principals that are authenticated against my own
authentication servers (smbpasswd is fine now, but LDAP/kerberos is
what I think the futurer holds)  

Then, we create our own domain controllers to manage user profiles --
and handle or OWN adminstrative identites (ergo we retain complete
control of administrative accounts rather than relegate them to AD and
have the possibility of an AD hack steal admin accounts).  

This would be similar to an old style trust relationship betwen NT
domains.  For large organizations even mickeysoft recommended have
resource domains and user account domains.  If SAMBA could implement
this, then the trust would be a 'limited' trust -- very enticing?
That trust of course limited to just authenticating users (and those
users priviledge would further be contolled through our own group
schema) and then not all users.

Some may think this a strange request, but in a large university like
ours, there is such decentralization that it makes sense.

To recap, what I want is something like

security = domain
password server = somesmbserver

without having to join the samba box to the domain
retain machine trust accounts on my samba box as well as additional
administrative identities that could be used to manage machines in my
be able to have additional samba servers join my domain as member
servers and use a transitive relationship to authenticate users against
my samba server which then authenticates to microsoft AD.

My guess is this shouldn't be too hard to implement.  I'm no C
programmer though -- and this is way out of my league.

David Bear
College of Public Programs/ASU
Mail Code 0803

More information about the samba-technical mailing list