[Samba] 'Security' parameter puzzle

Vicky Clarke vclarke at frontier.co.uk
Fri Aug 2 08:59:07 GMT 2002

 From the manpage for smb.conf:

                 You may list  several  password  servers  in  the
                 password  server  parameter,  however  if an smbd
                 makes a connection to a password server, and then
                 the  password server fails, no more users will be
                 able to be authenticated from this smbd. This  is
                 a  restriction  of  the SMB/CIFS protocol when in
                 security = server mode and  cannot  be  fixed  in

Does this also apply to security=domain ? Might it wind up applying to an 
smbd that began life as security=domain, after domain authentication failed 
and some series of fallback options was used?

I've been having a lot of trouble recently with access to our samba shares 
vanishing for no readily apparent reason, and being in general 
inconsistent. There's a 'net use' command in our NT login script which 
should map the Samba share as drive O:, but it doesn't seem to work the 
same way for everyone. Some users have no trouble, some users see a 
password prompt (which usually rejects their Windows password - this 
shouldn't be the case since we have security=domain and password 
server=PDC, and they have already successfully been authenticated by the 
PDC if the login script runs), still others just get a 'network path not 
found' message.

Now, the PDC (there are no BDCs) got hit by the storms the other day and 
spent a day rebooting almost constantly. From the above manpage segment it 
seems not impossible that Samba may have lost the ability to authenticate 
from it when it went down and fallen back to a different method of 
authentication; this would explain why I can still access the shares (I 
have a Unix account on the samba server) and why other people were seeing 
password prompts which were then rejected (though if I have 'add user 
script' working right most of them should have Unix accounts by now).

Can anyone tell me if this is all complete pie in the sky or whether I 
might be on to something? What's the best way I can trace through a login 
to the samba server, and what exactly is the fallback sequence for 
authentication when security=domain is set?

Many thanks,

Vicky Clarke

from my smb.conf:

         security = domain
         password server =
         add user script = /usr/sbin/useradd %u
         delete user script = /usr/sbin/userdel %u
         unix password sync = yes
         passwd program = /usr/bin/passwd %u
         passwd chat = "New password:*" %n\n "Re-enter new password:*" %n\n 
"Password changed*"

More information about the samba mailing list