blurb from release notes for 3.0.23b

Gerald (Jerry) Carter jerry at
Mon Aug 7 16:43:49 GMT 2006

Hash: SHA1

Is this clear enough for everyone?


Member servers, domain accounts, and smb.conf

Since Samba 3.0.8, it has been recommended that all domain
accounts listed in smb.conf on a member server be fully
qualified with the domain name.  This is now a requirement.
All unqualified names are assumed to be local to the Unix
host, either as part of the server's local passdb or in
the local system list of accounts (e.g. /etc/passwd or

The reason for this change is that smbd has transitioned
from access checks based on string comparisons to token
based authorization.  All names are resolved to a SID and
they verified against the logged on user's NT user token.
Local names will resolve to a local SID, while qualified
domain names will resolve to the appropriate domain SID.

If the member server is not running winbindd at all, domain
accounts will be implicitly mapped to local accounts and
their tokens will be modified appropriately to reflect the
local SID and group membership.

For example, the following share will restrict access to the
domain group "Linux Admins" and the local group srvadmin.

	path = /data
	valid users = +"DOMAIN\Linux Admins" +srvadmin

Note that to restrict the [homes] share on a member server, it
is necessary to prefix the %S valid to "valid users".

	security = {domain,ads}
	workgroup = DOM
	winbind separator = +
	valid users = DOM+%S
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the samba-technical mailing list