[Samba] using Windows DC in security = server mode

[Jeremy Allison]

On Mon, Apr 14, 2008 at 07:16:28PM +0100, Gordon Lack wrote:
> We run Samba, but wish to authenticate against Windows DC.  We do this 
> using the "security = server" mode.  We don't have the option of being part 
> of the Windows setup directly.  Although authentication is done against 
> Windows DC (so users are not prompted for passwords) users do need a Unix 
> account to use the service.
>
> We have users in multiple Windows domains, and the DCs we point them at all 
> trust the other domains (they exist for a variety of reason related to 
> mergers and historic, trans-Atlantic boundaries).
>
> On an (old) 2.2.x version of Samba this works - users from multiple domains 
> can be validated on the same server just by pointing at a single Windows 
> DC.
>
> With 3.0.28a (and earlier 3.0.x versions) this no longer works.  Only users 
> in the default domain of the DC are validated.
>
> A few lines of debug code show that what is happening now is that the 
> domain put into the user_info structure, and hence what is seen by 
> check_smbserver_security (in auth_server.c) is the name of the local 
> workgroup.
>
> I need this to be the domain as supplied by the caller.
>
> Can someone explain the reason behind the change, and what I can do to get 
> the (correct) user-supplied domain to be used when authenticated against a 
> Windows DC in "security = server" mode.

I checked with Jerry yesterday, and it's probably due to the change
made with security=server now being considered to be in standalone
mode, not in domain mode.

security=server is not a good idea long term and we've been trying
to move away from it for many years now. Is there any reason you
aren't allowed to be in the domain ?

If you're stuck, you could always make a change to that code to revert
to the Samba2 behavior, but I'd be wary of making that generic change
before checking what other effects this might have.

It's possible we could make this optional.

Jeremy.