[PATCH] ADS "demote" fix

Antti Andreimann Antti.Andreimann at mail.ee
Sun Jul 20 13:47:04 GMT 2003

Andrew Bartlett wrote:

> This is *compleatly* the wrong solution.  It will only cause problems -
> the smbserver authentication is not suitable for use in this situation.
> See the documentation on 'security=server'.

I know it's a hack, but it was the only protocol I did get to actually work
to authenticate non-kerberos users against AD.
Yes you have to set password server = <AD-s NETBIOS NAME> in smb.conf.
The alternative would have been to remove the winbind:ntdomain and rely only
on kerberos tickets, kicking all Win9x boxes in the butt (well on the other
thought, it might not be such a bad idea anyways ;).

W2k is using something completely different in this situation that is not
supported by anything that exists in auth/auth_*. Im not that proficent in
reading smb authentication dumps to correctly identify it, however I still
should have this dump somewhere so I'l do some digging and I will post it
here when I find it.

           Antti Andreimann
      Using Linux since 1993
  Member of ELUG since 29.01.2000

More information about the samba-technical mailing list