smbd/reply.c 2.2.8a test local workgroup patch

Richard Sharpe rsharpe at richardsharpe.com
Fri Jun 20 20:21:29 GMT 2003


On Fri, 20 Jun 2003, Matthew Moffitt wrote:

> >Ummm, what does this give you that having the user specify the domain they 
> >want to log onto and trusted domains doesnt.
> >
> >It is also a security problem, ISTM.
> 
> The point of the patch is that users don't have to specify the domain 
> so the server will authenticate them to the domain it represents as it 
> does in security=server mode.  This was a hangup for us, having to 
> educate users about the domain, that kept us from switching to 
> security=domain authentication earlier.

Surely that means that you must have authentication information for all 
users in two places: The domain they are in and the domain your Samba 
server is in.

If so, what about the headache of keeping the passwords sync'd?

> Moreover we like the process to be as transparent as possible rather 
> than teaching users about the (IMHO silly) windows 'domain' concept.

Well, the question is, how hard is it to teach the users versus what seems 
to be the extra admin you will have to do.

> I'm not sure what security problem you see but I'm certainly interested 
> to know why you think this is the case.

Because DOM1\fred is a different user from DOM2\fred, but you have made 
them the same.

Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com




More information about the samba-technical mailing list