CVS update: samba/source/auth

Gerald (Jerry) Carter jerry at
Sun Jun 29 22:33:28 GMT 2003

Hash: SHA1

On Sun, 29 Jun 2003, Volker Lendecke wrote:

> Some very brief notes wrt your trustdom patch: 
> Why do you want to join the local domain? 

I'm trying to remember right now.  Could have had to do with 

> If we do, then wbinfo -a SAMBA\\user%password where SAMBA is the local
> SAM domain locks up in the SAM logon request from winbind to smbd.

Doesn't lock for me.  Although (VALE is the Samba domain) running this on
the PDC:

  # wbinfo -a 'VALE\jerry%test'
  plaintext password authentication succeeded
  challenge/response password authentication failed
  error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
  Could not authenticate user VALE\jerry with challenge/response

I've tried this with and without 'winbind use default domain = yes'.
Maybe I need more details from you?

> With your patch (not joined the local domain) I get the local users as
> SAMBA\username in getent passwd.

Joined to the domain it works fine.  Only trusted users show up.

> On Sun, Jun 29, 2003 at 03:39:50AM +0000, jerry at wrote:
> >   * set 'auth method = guest sam winbind'
> I'd rather recommend 'auth methods = guest samstrict winbind'
> Otherwise you will get problems if you have a SAM user with the same
> name as a winbind-imported user.

OK.  I see what you mean.  So why do we have a separate 'sam' and 
'samstrict' method.  We shouldn't be looking up users from other domains
in own own passdb anyways.  Trust relationships should be handled
by 'allow trust domains' and that should go through winbind.

Why can't we just make samstrict == sam and name them one module?

> Sorry for not really looking into it, it's Sunday and I'd like to go
> dancing :-)

Enjoy yourself. :-)

cheers, jerry

Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see


More information about the samba-technical mailing list