[Samba] Domain Security and Mapping as More than One User

Steve Waltner steve.waltner at engenio.com
Fri Mar 3 22:40:03 GMT 2006 

I have Samba 3.0.21c installed on Fedora Core 3 and would finally  
like to get rid of the cleartext passwords on our server. The current  
smb.conf file

[global]
   workgroup = WORKGROUP
   wins server = 10.0.0.1
   security = share
   encrypt passwords = No
[homes]
    comment = Home Directories
    read only = no
    guest ok = no
    preserve case = yes
    short preserve case = yes

This is working fine, but requires users to make registry changes to  
allow cleartext passwords. I don't want to deal with yet another  
password database on the network, so I don't want to use the private  
smbpasswd file. I switched the server over to use domain  
authentication by updating the smb.conf file to

[global]
   workgroup = DOMAIN
   wins server = 10.0.0.1
   security = domain
[homes]
    comment = Home Directories
    read only = no
    guest ok = no
    preserve case = yes
    short preserve case = yes

and running "net rpc join ...." on the Samba server. This works in  
that the users are able to map a drive to the Samba server using  
their domain account. Unfortunately, we have several users that  
currently attach to the server with multiple login names, which is  
why I have the "security = share" config option set. By setting this  
to domain, we lose this ability and users get the error stating:

Multiple connections to a server or shared resource by the same user,  
using more than one user name, are not allowed. Disconnect all  
previous connections to the server or shared resource and try again..

It sounds like there is no way to authenticate using our Active  
Directory domain to avoid the cleartext passwords and still allow the  
users to connect to the Samba server as multiple users.

One kludgy workaround is to run VMware on this system or switch to  
Solaris 10 and use their zones feature to start multiple instances of  
Samba (ie: samba1, samba2, samba3, samba4) to allow multiple  
connections to the same physical computer although each connection  
would be going to a different virtual computer. Hopefully this hack  
won't be required.

Steve

More information about the samba mailing list