Sidebar to: losing connections to password server

David Collier-Brown -- Customer Engineering David.Collier-Brown at
Mon Jun 23 15:04:54 GMT 2003

   Predominantly they are running security = user, and
authenticating against the Unix passwords. The passwords
are actually in nis, yp and/or ldap, but Samba can't
tell and doesn't care (it's set in /etc/nsswitch.conf).

   Secondarily several machines, (including mine at
various times (:-)) use security = server and name
the master server in the geographical area. They
**really** don't care what is used: they just ask
the local master.

[ Thus is classic Unix/Multics behavior, as opposed
to Windows/OS360 behavior: even servers don't care
how and where authentication is done, they only care
that it **is** done. Consider it a quality-of-implementation
advantage for Unix, Linux and Samba.]

   None of the servers have failed except during general
power outages, which took down the client machines anyway,
so no-one noticed (;-))
   Typical uptimes for these machines are huge.


Steve Langasek wrote:
> On Thu, Jun 19, 2003 at 02:46:08PM -0400, David Collier-Brown -- Customer Engineering wrote:
>>On Thu, Jun 19, 2003 at 08:53:17AM -0700, David Bear wrote:
>>>>"security = server" may be a nasty hack, but it is an important
>>>>'feature' in an organization like my university.  We have centrally
>>>>managed services which include user accounts.  This hack lets me add
>>>>users to samba services without having to manage accounts.
>>Steve Langasek wrote:
>>>So does "security = domain"; except that "security = domain" works,
>>>using the same protocols that Microsoft supports for their own
>>>authentication systems.
>>>The "security = server" hack is /inherently/ flaky, and has /inherently/
>>>limited security.  Fixing these inherent flaws has been done: that's
>>>what domain security is.
>>	Alas, security = domain only works if I'm running an
>>	NT domain, while security = server works with an
>>	authentication server which is using the underlying
>>	Unix authentication system.
>>	Do the limitations and errors of security = server
>>	generally affect or not affect servers using Unix
>>	authentication?  We've not encountered (or perhaps
>>	not noticed (;-)) them in Sun, and we run a worldwide
>>	SMB service, managed out of Australia.
> So you're using 'security = server' with 'encrypted passwords = no'?
> Hmm, I've never seen a configuration like that before...  Maybe it's
> more resilient because your network and/or SMB servers are more
> reliable? :)

David Collier-Brown,           | Always do right. This will gratify
Sun Microsystems DCMO          | some people and astonish the rest.
Toronto, Ontario               |
(905) 415-2849 or x52849       | davecb at

More information about the samba-technical mailing list