[Samba] change in AD authentication behaviour since 3.0.24

Robert Cohen robert.cohen at anu.edu.au
Thu Feb 21 00:31:21 GMT 2008

Charles Marcus CMarcus at Media-Brokers.com wrote

>>On 2/19/2008, Robert Cohen (robert.cohen at anu.edu.au) wrote: I'm not sure
>>whether its the same problem as us.

>> BTW I should mention that we're simply not using winbind. The behaviour I'm
>> talking about is when an XP client machine attempts to connect to our server
>> to get a network share.
>> So winbind doesn't enter into the equation.
>From the 3.0.25 release notes (3rd paragraph is most relevant to you):

>"Member servers, domain accounts, and smb.conf

>Since Samba 3.0.8, it has been recommended that all domain accounts listed
>In smb.conf on a member server be fully qualified with the domain name.
>This is now a requirement.  All unqualified names are assumed to be local to
>the Unix host, either as part of the server's local passdb or in the local
>system list of accounts (e.g. /etc/passwd or /etc/group).
>The reason for this change is that smbd has transitioned from access checks
>based on string comparisons to token based authorization.  All names are
>resolved to a SID and then verified against the logged on user's NT user
>token.  Local names will resolve to a local SID, while qualified domain
>names will resolve to the appropriate domain SID.
>If the member server is not running winbindd at all, domain accounts will be
>implicitly mapped to local accounts and their tokens will be modified
>appropriately to reflect the local SID and group membership.

This turned out to be the problem. We hadnt been starting winbindd since I
thought it was only relevant if you were using winbind in
But as soon as we started winbind, along with other config settings
mentioned earlier, everything just started working.

Robert Cohen 

More information about the samba mailing list