security = domain = headaches

Mike Brodbelt m.brodbelt at
Mon Jul 3 13:11:53 GMT 2000

Lev Lvovsky wrote:
> heloo,
> I'm new to the world of Samba, but am finding it pretty easy to configure
> with the ORA book in hand.  I am having a problem though.
> I'm trying to incorporate my Linux server onto an NT-controlled
> domain.  I'd like to have it so that I don't need to have the names of the
> users that are logging onto the linux box, as account-holders.  This is
> possible as I understand it.

Domain level security in Samba allows you to authenticate users against
an NT PDC. It doesn't free you from the requirement for those Users to
have Unix accounts on your Samba box. When you attempt to use a Samba
controoled resource, your NT username and password hash will be passed
to the PDC. The PDC with authenticate you (or not), and Samba will then
map your username to a Unix username, converting with the username map
file if necessary. The smbd child process will be set to your UID, so
all operations on the share will be carried out as the authenticated

> I don't know how to properly tell the PDC what shares are allowable on the
> linux box however.  There's a wizard for file sharing (is there any other
> place where I can access this functionality? I feel dirty using a wizard
> ;).  

The PDC deals with centralised authentication. It doesn't know about the
shares available on your other computers, nor does it need to. It's up
to you to add the shares to your smb.conf file (either manually or using
SWAT), and make sure that Samba is advertising those shares.

> Upon telling it that I want to allow sharing on a network computer,
> and finding the linux box, it gives me the error mesage: "the selected
> computer could not be found".

Hmmm. I'm not sure what you mean when you refer to this "wizard", but I
suspect you're referring to server manager's ability to add new shares
on other machines in the domain. It does this by issuing RPC calls to
the remote machine. Samba does not (yet) support server manager and user
manager RPC calls, so this will never work.
> Is this the method that I use to allow users/groups onto the system as
> determined by a PDC?  below is my "global" portion of the smb.conf file:

It's up to you to configure access on your Samba server, by setting file
permissions, and share permissions in smb.conf. This behaviour is the
same as NT. The only difference is that you can administer the NT share
permissions using remote RPC aware tools, such as server manager. Samba
doesn't support thisn yet, so you can remotely administer it using
telnet, or SWAT.


More information about the samba mailing list