how flexible is domain authentication?

Andrew Bartlett abartlet at samba.org
Sun Oct 26 04:38:25 GMT 2003 

On Sun, 2003-10-26 at 15:05, Brandon Craig Rhodes wrote:

> Does the domain authentication protocol allow any more flexible
> alternatives?  Here our expertise reaches its end and we must solicit
> any help that readers of this mailing list might be able to provide.
> Are any of the following approaches possible, or do all break up on
> the sharp rocks of authentication protocol inflexibility:
> 
>    - Could an interdomain trust relationship allow the client sambas
>    to verify user passwords in CAMPUS_AUTH, and then give them
>    CLUSTER1 resources once they are authenticated?

Yes.  Samba will verify the password against whatever domain the client
chose to provide.  If the client is a machine in CAMPUS_AUTH, then this
should 'just work'.

>    - Could the password server be convinced to check passwords against
>    other domains besides the one given in its "workgroup =" parameter,
>    authenticating users in whatever domain the client samba happened
>    to need its users in?

Samba 3.0 will always ask it's DC for all non-local users.  That DC will
use the domain portion of the username to decide where to send the
request.

>    - Could the client sambas be modified to check their users against
>    the CAMPUS_AUTH domain, then let them access resources in CLUSTER1?

If the client's use a domain that is not CLUSTER1 and not any of it's
trusted domains, then it will use the local domain to authenticate the
user.  We could add flexibility, such that the default domain is chosen
to be something else.

> I suppose it is clear that we do not quite understand why each samba
> server has only one "workgroup =" parameter.  Why, for instance, can
> individual shares not be given their own "workgroup = " settings?
> Does this all boil down to inflexibility in the underlying protocols?

The workgroup that a samba server is in is a global property, as it
represents it's position in the netbios world, and a pointer to it's
authentication database.   Authentication (in user level security)
occurs once per session, not once per share.  

> Thanks for *any* help that you can provide, and we are rather grateful
> that samba exists at all, :-)

I am looking at *useful* ways to make the authentication scheme more
flexible, however you should also consider if you have made your site
more complex than it really needs to be ;-)

I hope this is of some assistance,

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031026/205c450d/attachment.bin

More information about the samba-technical mailing list