[Samba] query on security = server, domain
John H Terpstra
jht at samba.org
Tue Feb 4 17:18:32 GMT 2003
On Tue, 4 Feb 2003, akshaysalkar wrote:
> if Win NT is acting as a PDC, and Samba is added in the network, then when would it be required to put
> security = server
> when
> security = domain
> already exists.
> in other words why have security = server
> when security = domain can be put.
Please note:
"security = server" means:
The samba server is NOT a domain controller. The samba server is NOT a
member of the domain it is going to authenticate against. The samba server
will NOT provide domain logon services.
It also means that the samba server has to use a nasty method to work
around bugs that are present in some versions of MS Windows NT servers.
This method is necessary to prevent a potential security breach that could
otherwise give un-authorized root access on a samba share.
"security = domain" means:
The samba server is a MEMBER of a domain. It does NOT mean that samba is a
domain controller - it is NOT a domain controller is set this way. Samba
therefore does NOT perform domain logons for users.
This configuration does NOT require the nasty bug work-around that the
"security = server" option needs.
This mode DOES require that the samba machine has an account on the MS
Windows NT/2K security domain (either NT4 style or ADS).
With Samba-2.2.x series your Windows 2000 ADS server needs to run in
"Mixed" or "Hybrid" mode otherwise Samba can not join the ADS security
domain.
With Samba-3.0.0alpha releases samba can join a "Native" mode ADS domain.
I hope this helps.
- John T.
--
John H Terpstra
Email: jht at samba.org
More information about the samba
mailing list