[Samba] Problem after joining Windows domain: Will Samba support "fallback" to local domain for authentication of local users?

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Thu Sep 20 15:57:42 GMT 2007

Hash: SHA256

Windsor Dave L. (AdP/MOE2.12) wrote, On 19-09-2007 16:45:
> Will Samba support "fallback" to local domain for authentication of
> local users?
> I joined a RHEL4 server running Samba  3.0.10-1.4E.11 to a Windows
> 2000/2003 mixed-mode domain today using "security = domain", after
> having run for many months in "security = user" mode.  Authentication
> works fine for users defined in the Windows domain, but we have a few
> users (mainly on manufacturing equipment) who are not in the domain, and
> are defined in /etc/passwd and an old-fashioned smbpasswd file only.
> When mapping drives (these are old W2K clients), these users must now
> use "<servername>\<username>" for their username, or the server will try
> to authenticate to the domain and get a NT_STATUS_NO_SUCH_USER error.

	You can join the machine on the domain, use 'security = user'
and uses winbind to authenticate all your users local. Because you
can use winbind to have users via NSS and then, both your users from
DOMAIN and from passwd/shadow will be available. :-)

	Probably you'll need some magic to auto-add them to the local
backend, but it seems more like what you want.

> I seem to recall that an old server we used to have that ran Samba 2.2.x
> in "security = domain" mode would try to authenticate against the domain
> first, then fall back to the smbpasswd file if that failed, so
> authentication of locally defined users was transparent.
> Is there a way to make Samba3 "fall back" to the smbpasswd file if the
> user is not in the Windows domain?  I've experimented a bit with passdb
> backend, but I haven't seen any difference.  Of course, I can just go to
> all the production equipment and remap the drives, but there are quite a
> few of them, and I'm trying to avoid the downtime.

	"security = server" is deprecated but it might do something
similar to what you want, anyway, you should check the Account
Information chapter to get more detail on how to use the "security"
parameter and how other parameters must be tweaked according to your


	And because of the encryption and other options, I'm not
sure about the best way to configure the fallback idea. Good luck.

	Kind regards,
- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list