[Samba] QUESTION: security=ads vs. security=domain

Errol.Fouquet at mms.gov Errol.Fouquet at mms.gov
Fri Oct 17 19:41:42 GMT 2003

Thanks a lot ... I had read Chapter 7 (Domain Membership) thoroughly and was
confused as to the difference.
I appreciate you pointing this out to me ... although I do admin that
"RTFM!!" would have been a fair response :-)

-----Original Message-----
From: John H Terpstra [mailto:jht at samba.org] 
Sent: Friday, October 17, 2003 2:03 PM
To: Fouquet, Errol
Cc: samba at lists.samba.org
Subject: Re: [Samba] QUESTION: security=ads vs. security=domain

On Wed, 15 Oct 2003 Errol.Fouquet at mms.gov wrote:

> Can someone explain to me what "ADS" buys me over "Domain" for a 
> member server? We just started implementing Samba 3.0 and want to 
> understand what the new ADS security buys us.

Have you read the Samba-HOWTO-Collection.pdf that ships with Samba-3.0.x? It
might answer your question.


4.3.4 ADS Security Mode (User Level Security)

Both Samba-2.2, and Samba-3 can join an Active Directory domain. This is
possible if the domain is run in native mode. Active Directory in native
mode perfectly allows NT4-style Domain Members. This is contrary to popular
belief. Active Directory in native mode prohibits only the use of Backup
Domain Controllers running MS Windows NT4.

If you are using Active Directory, starting with Samba-3 you can join as a
native AD member. Why would you want to do that? Your security policy might
prohibit the use of NT-compatible authentication protocols. All your
machines are running Windows 2000 and above and all use Kerberos. In this
case Samba as an NT4-style domain would still require NT-compatible
authentication data. Samba in AD-member mode can accept Kerberos tickets.

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list