Multiple password servers/domains (PR#7273)

Jeremy Allison jallison at whistle.com
Thu May 21 22:04:17 GMT 1998 

Paul.Johnston at gwl.com wrote:
> 
>   I've just installed the new version 1.9.18p7 on a Solaris 2.6 box.  We
> have multiple domains in our organization with trust relationships
> (Domain authentication is handled by Windows NT servers).  I would like
> to be able to have multiple servers listed as password servers.  If the
> server authentication fails on the first server, it would try the next.
> With this, I could have many different domain users attach to the samba
> shares.  This would also allow failover in case my primary password
> server down.
> 
> I'm looking for something like this (is it possible..maybe another
> way?):
> ----begin smb.conf----
> security = server
> password server = ntserver1 ntserver2
> ----end smb.conf----
> 

Paul,

	Hope you don't mind but I'm CC:ing this reply
to the general Samba list as many others may find this
information useful.

Unfortunately this is not possible using pass-though authentication
due to an errror (no other word for it really) in the SMB protocol.

The challenge given by the server is sent at initial connect
time (when the machine name is fist contacted), not at user
logon time.

This means that once you have sent an initial challenge to a
client from one password server, it is not then possible
to switch to another password server when the user logs on.

>   I have been able to allow multiple server authentication in different
> domains, but running different configurations based on what the machine
> is called when attempting to mount (unfortunately, this is confusing to
> the end users).  In the example below, I use password server ntserver1
> if mounting \\unix1\myshare.  To use password server ntserver2, you
> would mount \\unix2\myshare.  I'm pretty sure that the workgroups are
> not needed for this to work.
> 

With the current version of Samba this is the only
way you can do what you want. With the next release
of Samba (1.9.19) Samba will be able to do user authentication
in *exactly* the same way as an NT server in a domain would,
(the Samba server will be a member of the NT domain) in that
it will forward the logon requests using the NT domain 
protocols to the PDC, which will then use trust accounts
to send these requests to the correct domain PDC.

This code is working already (there are people using it)
but the whole Samba package in that CVS tree is currently
pre-alpha code. Join the Samba ntdomains mailing list
for more info.

Hope this helps,

	Jeremy Allison.
	Samba Team.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------

More information about the samba mailing list