Re: Patch: convenience feature for non-domain clients
At 14:13 09/10/2002 -0500, Gerald Carter wrote: >Just to throw my hat in the ring here, i'm not sure i like this for the >reason that if a user sends DOMAIN\user i think we should assume that's >what they really meant. Interesting though, if I run > > net use * \\server\jerry /user:jerry > >from a WinXP home box, i though the domain used was the local >machine. So it seems like this patch is unnecessary in user mode. >Is that true? Is it only applicable in domain mode? That's right, the patch is only useful in domain mode. When the Samba server hands off a MACHINE\user to the domain controller for authentication, the domain controller will reject the user for not being in the domain. That won't happen in user mode -- Samba appears to just ignore the domain presented by the client. >So a user say i am MACHINE\user and we try to authenticate then >as DOMAIN\user against the PDC whcih could be someone they didn't >mean? It just seems like too many people behind the curtain. It isn't a particularly elegant feature, that's for sure, but it is really convenient. As you point out above, when in user mode Samba essentially ignores domains. At our site, we ran Samba in user mode for several years, but then for all the usual reasons we converted to domain mode (via server mode, which we found too unreliable). What we wanted from Samba in domain mode was the same user-mode-style domain-free behaviour but with the authentication coming from our domain controllers. What we got was correct domain-style authentication. We didn't fancy breaking everyone's shares (that'd be ~500 people to apologise to and the same number of clients to fix) so we went for a convenience feature to tide us over until we are in a position to do things properly. >I would voite better user education (lot of good that will do me). :-) One disadvantage of working at a University is that everybody thinks they are quite well educated enough already... Jon.
Re: Patch: convenience feature for non-domain clients
Gerald Carter wrote: > > On Wed, 9 Oct 2002, Jon. Hallett wrote: > > > The background to this is that our Samba servers use "security = domain" > > authentication for user accounts, but not all our Windows clients are > > members of the domain, with the result that the clients often want to map > > shares using non-domain "clientname\user" style accounts. > > > > The patch implements an "ignore client domain" option which forces Samba to > > use the server's own domain when authenticating users, ignoring the domain > > part of the username provided by the client. > > Just to throw my hat in the ring here, i'm not sure i like this for the > reason that if a user sends DOMAIN\user i think we should assume that's > what they really meant. Interesting though, if I run > > net use * \\server\jerry /user:jerry > > from a WinXP home box, i though the domain used was the local > machine. So it seems like this patch is unnecessary in user mode. > Is that true? Is it only applicable in domain mode? > > So a user say i am MACHINE\user and we try to authenticate then > as DOMAIN\user against the PDC whcih could be someone they didn't > mean? It just seems like too many people behind the curtain. > I would voite better user education (lot of good that will do me). In HEAD and 3.0 the auth subsystem uses the value of 'allow trusted domains' to determine if it should change the client-supplied domain. If that smb.conf value is false, the domain is replaced with the local domain. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
Re: Patch: convenience feature for non-domain clients
Richard Sharpe wrote: > > On Wed, 9 Oct 2002, Herb Lewis wrote: > > I really like this approach. I am seeing more and more setups where > > machines are being setup in exacly this configuration. It would be > > nice to have winbindd use existing UID's instead of always creating > > new ones for domain\user. With the existing "use default domain" > > this is not sufficient when you are in a resource domain and all your > > user names are in the auth domain. > > Hmmm, doesn't this assume name equivalence though, between flat names in > the auth domain and names on the UNIX system? > > What happens in the current case? > Well that is exacly what use default domain was supposed to do for you but if your machine is in a resource domain, then the "default" domain is wrong and all users get added as \. -- == Herb Lewis Silicon Graphics Networking Engineer 1600 Amphitheatre Pkwy MS-510 Strategic Software Organization Mountain View, CA 94043-1351 [EMAIL PROTECTED] Tel: 650-933-2177 http://www.sgi.com Fax: 650-932-2177 ==
Re: Patch: convenience feature for non-domain clients
On Wed, 9 Oct 2002, Jon. Hallett wrote: > The background to this is that our Samba servers use "security = domain" > authentication for user accounts, but not all our Windows clients are > members of the domain, with the result that the clients often want to map > shares using non-domain "clientname\user" style accounts. > > The patch implements an "ignore client domain" option which forces Samba to > use the server's own domain when authenticating users, ignoring the domain > part of the username provided by the client. Just to throw my hat in the ring here, i'm not sure i like this for the reason that if a user sends DOMAIN\user i think we should assume that's what they really meant. Interesting though, if I run net use * \\server\jerry /user:jerry from a WinXP home box, i though the domain used was the local machine. So it seems like this patch is unnecessary in user mode. Is that true? Is it only applicable in domain mode? So a user say i am MACHINE\user and we try to authenticate then as DOMAIN\user against the PDC whcih could be someone they didn't mean? It just seems like too many people behind the curtain. I would voite better user education (lot of good that will do me). cheers, jerry
Re: Patch: convenience feature for non-domain clients
On Wed, 9 Oct 2002, Herb Lewis wrote: > Mike Gerdts wrote: > > > > Perhaps a slight variant of this that would be useful would be something > > along the lines of "force domain = ". The difference is > > that when your samba servers are part of a resource domain that is > > different than your authentication domain, the authentication would > > happen against your authentication domain, rather than the (machine > > only) resource domain. > > > > Mike > > > > I really like this approach. I am seeing more and more setups where > machines are being setup in exacly this configuration. It would be > nice to have winbindd use existing UID's instead of always creating > new ones for domain\user. With the existing "use default domain" > this is not sufficient when you are in a resource domain and all your > user names are in the auth domain. Hmmm, doesn't this assume name equivalence though, between flat names in the auth domain and names on the UNIX system? What happens in the current case? Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], http://www.richardsharpe.com
Re: Patch: convenience feature for non-domain clients
Mike Gerdts wrote: > > Perhaps a slight variant of this that would be useful would be something > along the lines of "force domain = ". The difference is > that when your samba servers are part of a resource domain that is > different than your authentication domain, the authentication would > happen against your authentication domain, rather than the (machine > only) resource domain. > > Mike > I really like this approach. I am seeing more and more setups where machines are being setup in exacly this configuration. It would be nice to have winbindd use existing UID's instead of always creating new ones for domain\user. With the existing "use default domain" this is not sufficient when you are in a resource domain and all your user names are in the auth domain. -- == Herb Lewis Silicon Graphics Networking Engineer 1600 Amphitheatre Pkwy MS-510 Strategic Software Organization Mountain View, CA 94043-1351 [EMAIL PROTECTED] Tel: 650-933-2177 http://www.sgi.com Fax: 650-932-2177 ==
Re: Patch: convenience feature for non-domain clients
Perhaps a slight variant of this that would be useful would be something along the lines of "force domain = ". The difference is that when your samba servers are part of a resource domain that is different than your authentication domain, the authentication would happen against your authentication domain, rather than the (machine only) resource domain. Mike On Wed, 2002-10-09 at 11:00, Jon. Hallett wrote: > Attached is a patch against SAMBA_2_2 that we find useful at our site for > integrating our domain-member Samba servers with our non-domain-member clients. > > The background to this is that our Samba servers use "security = domain" > authentication for user accounts, but not all our Windows clients are > members of the domain, with the result that the clients often want to map > shares using non-domain "clientname\user" style accounts. > > The patch implements an "ignore client domain" option which forces Samba to > use the server's own domain when authenticating users, ignoring the domain > part of the username provided by the client. > > This is particularly useful for sites converting from "security = server" > to "security = domain" who don't want to go around their clients adding > domain parts to all the usernames with which they map shares. > > Hope this is of use to someone else, > > Jon.
Re: Patch: convenience feature for non-domain clients
"Jon. Hallett" wrote: > This is particularly useful for sites converting from "security = server" > to "security = domain" who don't want to go around their clients adding > domain parts to all the usernames with which they map shares. That sounds like a good way to make the beginning of a migration easy... --dave -- David Collier-Brown, | Always do right. This will gratify DMCO's MTEC team in Toronto| some people and astonish the rest. Formerly Opcom, ACE and SIS. | (905) 415-2849 or x52849 | [EMAIL PROTECTED]
