Making a big push on the end of --set-auth-user

Andrew Bartlett abartlet at
Wed May 19 01:25:12 GMT 2004


I've been thinking about your comments on the samba list, that we really
don't need '--set-auth-user' in all but the most exceptional networks
these days.

I think we should really make a big push on this, in the release notes
and in the documentation.  Possibly even in the default output of
'wbinfo --set-auth-user'.  

It also seems a common mistake to put the root, or administrator
password into this facility.

For those who missed it, the recent work to always use schannel when
talking to our DC means that we are not bitten by 'RestrictAnonymous=1',
the level compatible with NT4 member servers.  On domains that are set
to 'RestrictAnonymous=2' (which is only supported by Win2k and above),
we use security=ads, and since the 3.0 release have used kerberos and
the machine account to perform the initial login.

I think this means the only reason to use --set-auth-user is in complex
NT4 trust situations or if Kerberos is unavailable on your platform.

Does this sound correct?

Andrew Bartlett
Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list