[Samba] use password server= when security=ADS or not???

Alex de Vaal AVaal at nh-hotels.nl
Wed Jun 9 12:33:21 GMT 2004

Dear list,

I’m using samba 3.0.4 on a RHL9 server as domain member in a W2k3 ADS (native) 
The shares on the Samba server are used by XP clients and these clients get the 
shares via scripting while they logon on the ADS.
In the ADS domain there are several ADS servers (on remote locations, connected 
via routers) that have the same global catalog. This means that an XP client that 
logon on the ADS will get a response from the “fastest” server on the network. The 
XP clients and the Samba domain member are on remote locations and connected 
to the ADS environment via routers too.

The smb.conf file that I use on the Samba domain members doesn’t contain the 
“password server” statement; this means that samba handles as follows about 
“password server” according to the man pages:
If the “password server” option is set to the character '*' (is the same as no password 
server), then Samba will attempt to auto-locate the Primary or Backup Domain 
controllers to authenticate against by doing a query for the name 
“WORKGROUP<1C>” and then contacting each server returned in the list of IP 
addresses from the name resolution source. This means that Samba uses the old 
NETBIOS name and this is not in our DNS and a broadcast is not allowed on our 

In the man page of samba also reside about “password server” the following:
The advantage of using “security = domain” is that if you list several hosts in the 
“password server” option then smbd will try each in turn till it finds one that responds. 
This is useful in case your primary server goes down.
Does this also work, when “security = ADS”?  I’d like that the samba domain server 
tries to contact each password server in the list till it finds one that responds.

Can you tell me what is preferable? I use Samba 3.0.4 on RHL9 compiled with MIT 
1.3.1-7 kerberos and CUPS, Kerberos and winbind is used for authentication against 
the ADS server.

Here is my smb.conf file (only the global section):

	workgroup = XXXX
	realm = XXXX.COM
	server string = %h server (Samba %v)
	security = ADS
	passwd program = /usr/bin/passwd %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
	unix password sync = Yes
	log file = /var/log/samba/%m.log
	max log size = 0
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
	add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M 
	domain master = No
	dns proxy = No
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /data/hom/%U
	template shell = /bin/bash
	printer admin = root, '@XXXX.COM\Domain Admins', 
	oplocks = No
	level2 oplocks = No


More information about the samba mailing list