[Samba] change in AD authentication behaviour since 3.0.24

Charles Marcus CMarcus at Media-Brokers.com
Wed Feb 20 11:39:51 GMT 2008

On 2/19/2008, Robert Cohen (robert.cohen at anu.edu.au) wrote:
> I'm not sure whether its the same problem as us.
> BTW I should mention that we're simply not using winbind.
> The behaviour I'm talking about is when an XP client machine attempts 
> to
> connect to our server to get a network share.
> So winbind doesn't enter into the equation.

 From the 3.0.25 release notes (3rd paragraph is most relevant to you):

"Member servers, domain accounts, and smb.conf

Since Samba 3.0.8, it has been recommended that all domain accounts
listed in smb.conf on a member server be fully qualified with the
domain name.  This is now a requirement.  All unqualified names are
assumed to be local to the Unix host, either as part of the server's
local passdb or in the local system list of accounts (e.g. /etc/passwd
or /etc/group).

The reason for this change is that smbd has transitioned from
access checks based on string comparisons to token based
authorization.  All names are resolved to a SID and then verified
against the logged on user's NT user token.  Local names will
resolve to a local SID, while qualified domain names will resolve
to the appropriate domain SID.

If the member server is not running winbindd at all, domain
accounts will be implicitly mapped to local accounts and their
tokens will be modified appropriately to reflect the local
SID and group membership.

For example, the following share will restrict access to the
domain group "Linux Admins" and the local group srvadmin.

	path = /data
	valid users = +"DOMAIN\Linux Admins" +srvadmin"


Best regards,


More information about the samba mailing list