security = server not working properly (PR#2786)

[Michael Simmons]

At 05:29 AM 1/1/98 +1100, Andrew Tridgell wrote:
>Date: Wed, 31 Dec 1997 17:48:33 +1100
>From: Andrew Tridgell <samba-bugs at samba.anu.edu.au>
>To: ran at adc.com
>Subject: Re: security = server not working properly (PR#2786)
[stuff deleted]
>The password server behaviour changed because we discovered that bugs
>in some NT servers allowed anyone to login with no password if they
>chose an account name that did not exist on the password server. The 
>NT password server was saying "yes, it's OK to login" even when the 
>account didn't exist at all! Adding the NetWkstaUserLogon call fixed 
>the problem, and follows the "recommended" method that MS have 
>recently documented for pass through authentication.

In my experience it maps the user to "nobody"
On all our shares we have
invalid users = root nobody

>The problem now is that some NT servers (in particular NT
>workstation?) don't support the NetWkstaUserLogon call. The call also
>doesn't work for accounts in trust relationships.

We have two domains Staff and students. The students domain
trusts the staff domain. We need this trust to work so that
staff can access samba shares on student samba servers.

>The eventual solution for this will be to replace the password server
>code in Samba with NT domain code as that is developed. For now you 
>have the choice of compiling Samba either with or without the 
>NetWkstaUserLogon call in the password server code.

You will continue to allow NT PDC's won't you ?.......

michael at ecel.uwa.edu.au