how flexible is domain authentication?

Brandon Craig Rhodes brandon at
Sun Oct 26 04:05:17 GMT 2003

Consider that runs samba-3 to provide a Windows
cluster with logins, home directories, and printers, and that uses a
central campus password server also running samba-3:

   workgroup = CLUSTER1
   security = server
   password server =

   workgroup = CAMPUS_AUTH
   security = user

But "security = server" is unstable and often breaks, so we want to
move to a domain security relationship between the samba servers:

   workgroup = CLUSTER1
   security = domain
   password server =

   workgroup = CLUSTER1
   security = user
   domain logins = yes

which works fine once samba1 has been given a machine account on
campusauth and has then run "net rpc join".

Our problem:

This requires "campusauth" and "samba1" to have the same domain; but
campusauth must check passwords for samba servers all across campus,
which are in dozens of different (and locally-administered) domains.
Since "campusauth" can only be in one domain, we have several options:

   - (Our least favorite, but the only one we know to be possible:)
   Run dozens of samba servers on "campusauth" on different IP
   addresses or ports, each with a different domain, and point each
   client samba at the IP or port that uses the same domain.  This
   would be easier if we could override the port which samba uses to
   connect to its password server, but this seems to be hard-wired.

Does the domain authentication protocol allow any more flexible
alternatives?  Here our expertise reaches its end and we must solicit
any help that readers of this mailing list might be able to provide.
Are any of the following approaches possible, or do all break up on
the sharp rocks of authentication protocol inflexibility:

   - Could an interdomain trust relationship allow the client sambas
   to verify user passwords in CAMPUS_AUTH, and then give them
   CLUSTER1 resources once they are authenticated?

   - Could the password server be convinced to check passwords against
   other domains besides the one given in its "workgroup =" parameter,
   authenticating users in whatever domain the client samba happened
   to need its users in?

   - Could the client sambas be modified to check their users against
   the CAMPUS_AUTH domain, then let them access resources in CLUSTER1?

I suppose it is clear that we do not quite understand why each samba
server has only one "workgroup =" parameter.  Why, for instance, can
individual shares not be given their own "workgroup = " settings?
Does this all boil down to inflexibility in the underlying protocols?

Thanks for *any* help that you can provide, and we are rather grateful
that samba exists at all, :-)
Brandon Craig Rhodes               
Georgia Tech                                            brandon at

More information about the samba-technical mailing list