[Samba] Re: If I use "valid users" option, I can't log into the domain

Craig White craigwhite at azapple.com
Sat Apr 8 17:42:24 GMT 2006

On Sat, 2006-04-08 at 18:24 +0100, Steve A wrote:
> Craig White wrote:
> > OK netlogon, homes and profiles are all special shares. They really
> > only mean something to users who log on to the domain via Windows
> > computers that have been 'joined' to the domain.
> I can still see my home shares even though I'm not logged onto the domain. 
> Windows does prompt me for user/password when I access it though, because my 
> Windows password isn't the same as my Unix one.
> > Have you 'joined' any computers to the domain yet? I would suspect not
> > since in the list above created by smbclient -L Samba -U sa, I see 3
> > different computers with 3 different 'workgroups'
> Yes, I've joined a computer called VALIANT.  Actually, it joined itself 
> because of the "add machine script =" line in my smb.conf.
> > I would suggest that you read through the documentation at
> > http://www.samba.org/samba/docs (the Official HowTo and By Example)
> I've got the Samba 3 Howto and Reference Guide book here with me.  As far as 
> I can tell, it doesn't provide the answer.
> To recap:
> - The computer called VALIANT is joined to my Samba domain.
> - I can log in with any user I've added using pdbedit (I'm using tdbsam)
> - These users also have a true Unix account
> - I can change password for both Windows/Linux, from Windows because of 
> "passwd program =" and "passwd chat =" in my smb.conf.
> - If I add "valid users = sa" to my smb.conf, I can still access my shares 
> but cannot log into the domain.
> - root can always log into the domain regardless of the valid users options.
see Jerry's answer pertaining to valid users = sa in [global] which
picked up on something I didn't consider.

also note that 'Valiant' didn't show up in the list when you performed
the 'smbclient -L Samba -U sa' command so I'm not convinced it is joined
to domain.


More information about the samba mailing list