domain security

Marc Jacobsen Marc_Jacobsen at hp.com
Tue Jun 1 17:08:19 GMT 1999 

Hello,

I have SAMBA 2.0.4 up and running on HP-UX 11 with "security = domain".  The
workgroup, password server, password encryption, etc. are all set up correctly
and it works great, if the client is part of the same domain.  I am using an NT
4.0 Workstation with SP4 as my client, and an NT 4.0 Server is my PDC (also the
"password server" on the SAMBA system of course).

As I mentioned, if the workstation is part of the same domain, everything works
great.  However if the domain on the workstation is set to be the workstation
itself (stand alone) or if the workstation is part of a different domain, then
things aren't so great.  I can map a share from the PDC by specifying a username
and password from SAMBA server's/PDC's domain.  If I try to map a share from the
SAMBA server and specify the same username and password it doesn't work (unknown
username or bad password error).  In looking at the debug trace I can see that
the domain that the workstation is in gets passed to the SAMBA server, and this
domain gets sent to the PDC when SAMBA forwards the authentication request to
it.  Apparently when this domain isn't the domain of the SAMBA server and the
PDC, the authentication fails.

Since it works when the client directly authenticates to the PDC, I can only
assume that the client sends a different SMB to authenticate and the NT Server
knows enough to ignore the domain or to try it's own domain in that case, or the
client behaves differently and doesn't specify it's own domain.

I looked at the source for domain_client_validate() in smbd/password.c and it
looks like a fix should be fairly simple.  The question I have is this, should
the logic be:

A)  Behave exactly like it does now, except if the authentication fails with
a bad username/bad password error _and_ the domain that the client system passed
in doesn't match the domain of the SAMBA server, then try the same
authentication request with the domain changed to be the SAMBA server's.

-or-

B)  Ignore the domain passed in from the client and only use the SAMBA server's
domain when forwarding the authentication request to the PDC (in the first
place, don't wait to see if it fails first).

Or, I could be completely off base and neither of these solutions would be
correct.  FYI, I coded up solution (B) and it seems to work.  Also, are there
any other places in the source where a similar change might need to be made? 
Any comments, opinions, or advice are welcome.

Thanks.

Marc Jacobsen

More information about the samba mailing list