[Samba] FW: Samba authentication against a windows 2000 domain.

Pentland G. G.Pentland at soton.ac.uk
Thu Jan 30 10:31:21 GMT 2003


Hi all,

I've got an authentication issue with SAMBA as a member server in a Win
2000 domain,  Basically I need to authenticate users against the domain.
Unfortunately my clients are not all domain members so they send
<something>\username not <domainname>\<username>.  I need to get samba
to replace whatever with the domainname or to get the clients to send
the right domainname.

please read on...

My setup: servers:

Database mechanism for synchronising NIS AD and NDS passwords - working
Windows 2000 AD - working
NDS tree - working
Mixed UNIX setup - working using NIS as authentication mechanism
Samba on IRIX, Server is NIS client

ONLY sharing [homes]

My setup: clients:

Mixed clients including...

Win 95 standalone and Novell clients
Win 98 standalone and Novell clients
Win 2000 and win XP, both AD members and standalone
Misc Linux MACs etc. but they are of lower priority.


Requirements:

Support encrypted logins to Samba.

Previous plain text version using NIS on server is working.

What I have tried...

basically security = domain

smbpassword -j domainname...

joined OK


Now the detailed question...

Domain members (2000 and XP) can authenticate OK, non domain members
can't.

If on non domain member you enter "domainname\username" and your
password you CAN authenticate and get your home directory, unfortunately
this is not desirable as some users will struggle to get used to this.

Win 9x machines, when you access network shares you cannot specify
domainname\username... i.e. start->run \\server\<username>you only get a
password box, entering a valid password always results in logon failure.


Is there a way on the server side (SAMBA) to specify that all usernames
get authenticated as <specifieddomainname>\<suppliedusername>.

As *ALL* users with only a couple of exceptions (the ones that no-one
should ever log on as)  exist in all of the UNIX (NIS) world, Windows AD
and the NDS tree.  For this reason I don't think winbindd will be any
help... real users that exist on both platforms need to map to
\\server\<username> and get their real homedir from the UNIX fileserver.

I understand that the default for win 9x is to send the workgroup name
i.e. <workgroup>\<username>

There are reasons why I cannot change the workgroup name of these
machines.

Windows 2000 / xp seem to send <netbiosmachinename>\<username> when they
or not domain members, when domain members they send
<domainname>\<username> and this is the working case.


Any help/suggestions would be very much appreciated.

Thanks,

Gary



More information about the samba mailing list