smbd/reply.c 2.2.8a test local workgroup patch

Matthew Moffitt moffitt.10 at
Fri Jun 20 20:54:50 GMT 2003

At 04:53 PM 6/20/2003, Matthew Moffitt wrote:
>At 04:21 PM 6/20/2003, Richard Sharpe wrote:
>>On Fri, 20 Jun 2003, Matthew Moffitt wrote:
>>> >Ummm, what does this give you that having the user specify the domain they 
>>> >want to log onto and trusted domains doesnt.
>>> >
>>> >It is also a security problem, ISTM.
>>> The point of the patch is that users don't have to specify the domain 
>>> so the server will authenticate them to the domain it represents as it 
>>> does in security=server mode.  This was a hangup for us, having to 
>>> educate users about the domain, that kept us from switching to 
>>> security=domain authentication earlier.
>>Surely that means that you must have authentication information for all 
>>users in two places: The domain they are in and the domain your Samba 
>>server is in.
>>If so, what about the headache of keeping the passwords sync'd?
>Not so, the samba servewr is in the same domain as the users.  The problem is with people coming in from elsewhere (home, remote offices, external departments, etc).  In this case their computers are not in our domain, maybe not in any domain.
>Simply put, when somebody is connecting to a server in MYDOMAIN I want it to look for their account in MYDOMAIN, not their home PC's workgroup.
>>> Moreover we like the process to be as transparent as possible rather 
>>> than teaching users about the (IMHO silly) windows 'domain' concept.
>>Well, the question is, how hard is it to teach the users versus what seems 
>>to be the extra admin you will have to do.
>>> I'm not sure what security problem you see but I'm certainly interested 
>>> to know why you think this is the case.
>>Because DOM1\fred is a different user from DOM2\fred, but you have made 
>>them the same.
>Aha, but I only care about one domain and know ahead of time that this issue is never going to come up.  If someone from DOM2 needs to get to resources in MYDOMAIN I would provide an account.  If I want the headache of trust relationships the patch wouldn't break this, however.  It tests for DOM2\username first then checks against MYDOMAIN\username.

I should also have pointed out that this is the way Windows handles this situation as well.  I certainly don't think it's a flawless design but this seems to be a reasonable way to do it so we don't have to teach users about 'domains'.



More information about the samba-technical mailing list