In another thread, someone posted this link (http://freeos.com/articles/3842/). I decided to try out the first part entitled as in the subject header of this post. I'm not sure this is doing what it sounds like, though. I followed all the requisite steps, and everything worked as indicated. But what exactly does this do for me?

Say the linux box on which these steps have been performed is named "LINUX1." It has been joined to the domain. So I thought to myself, "Cool, now I can log onto LINUX1 using a valid NT domain user account and password." Well, not so. So I scratch my head, and think about one of the steps performed in this task:

smbpasswd -j DOMAIN -r DOMAINPDC

Did this step merely create Samba user accounts and passwords from the NT domain? If so, how does that help log into the linux box? Isn't that going to require Linux user accounts and passwords?

But then I check, and there are no Samba accounts either.

So again, what good is any of this? I know I'm missing something. But what?

Well, answering my own question in part...

What was supposed to happen, I think, is that

security=domain

would bypass the need for a separate samba password file. But there still has to be a unix account for the user. So I create one, with exactly the same username and password as on the NT domain, but it doesn't work.

E.g., with security=user, and the creation of samba accounts and passwords, I have no trouble accessing samba shares on the linux machines.

But when I try the security=domain approach, the login/authentications fail. Now maybe I just don't have something set up right.

But even if I got it working, I'm not sure how much the effort is worth. IMO it is stretching it to describe such a setup as an "NT Domain Member."

all joining a NT domain does is create a Machine account for your computer in the domain. it has nothing to do with any user accounts.

You are correct on what security = domain should give you. You do not need to create local Samba users on each Samba server with the smbpasswd command.
You still need local linux accounts on your server for each user in your NT domain that will acces the server via Samba. This is to satisy the local file system permissions on the directories you share.
But, the password for the local user account doesn't have to match the password in the domain. The only password the the user has to be concerned with is the NT domain password. If you have it set up to require a password change every 45 days, the user changes the domain password but does not have to change the password on the Samba server.

If you have many Samba servers in an NT domain environment, keeping the passwords synched on all of them can be quite a task. Especially if you have hundreds of users in your NT domain. If the passwords aren't synched up, users will be asked tor a share username and password on Win9x machines every time they boot. That can be quite confusing to inexperienced users, as well as being annoying.


I use security = domain quite a bit and it's normally just as easy to set up as security = user. The key is joining the domain properly.

Fisrt, shut down Samba. Then join the domain. The proper command should be:

smbpasswd -j DOM -r DOMPDC -UAdministrator%password

DOM = the domain name, DOMPDC = the name of your PDC and username and password are someone in the NT domain with the authority to join computers to the domain. Usually a domain admin. It should respond with Joined domain DOM or something similar to that.
If your's isn't working properly, I'd try to join the domain again. First, check in Server Manager in the NT domain and delete the computer account created for the Samba server if it exists. Then try to join the domain again.

Another line you need to add in the global section for security = domain is:

password server = pdcname

That tells Samba where to go for authentication. You can use the name of your PDC, and or a BDC. You can also use and asterik(*) and Samba will broadcast for the domain controllers.

Once you get security = domain working properly, it's a lot less administrative overhead.

Of course, the next step beyond security = domain is using winbind. This actually lets you download your entire NT domain user account database onto your Linux/Samba server. You don't need to create Linux or Samba user accounts. That really saves some administrative time. The NT domain username and passwords are even used for local login to the Linux machine and telnet and ftp login.

There are users that frequent this site that have it working. I've never tried this because I've done away with my NT Domain and have my Samba server running as a domain controller. My Windows machines authenticate to it instead of to an NT domain.

Thanks again for all the help! This has been a very rewarding discussion. The following answers another question I had:

But, the password for the local user account doesn't have to match the password in the domain. The only password the the user has to be concerned with is the NT domain password.

I'm surprised though. How can samba be sure that the NT user of a given user name is the same user with the linux user account with the same name if the NT user doesn't have to know the linux password? Are there limits on what the NT user can do with a samba share exposed to the account with their username? When I get the chance, I want to explore this more. It is still a bit of a mystery to me.

And then maybe winbind.

I've also played a bit with integrating windows and linux machines from the other direction, i.e. with NFS shares and MS's SFU. That is even harder than samba to get working right! I can see the exported NFS shares from Windows clients running SFU, but I get get them authenticated to actually access them. I think it is a problem with UID's not matching. Know of any discussion forums where there might be some wizards who know something about NFS and SFU?

Originally posted by baz2

I'm surprised though. How can samba be sure that the NT user of a given user name is the same user with the linux user account with the same name if the NT user doesn't have to know the linux password? Are there limits on what the NT user can do with a samba share exposed to the account with their username? When I get the chance, I want to explore this more. It is still a bit of a mystery to me.

When the Windows user tries to access a Samba share, the user passes his username and password to Samba. Samba checks with NT/Win2k domain controller to verify the username/password are correct. If they are, then Samba uses that username to access the Linux filesystem. As far as Linux is concerned, that is an authenticated user and grants access to all files and directories it has been assigned permissions to.
It probably wouldn't be hard to fool Linux into thinking that you had the right username, but you would still have to match the password on the domain controller.
I'm not sure of the details of how it all works, I just glad it does.

You do see posts on this site once in a while about NFS and SFU. I usually don't look at them because I know nothing about SFU. If you haven't already done so, you may do a search on this site for info on it.
I guess I stick with Samba because I'm more familiar with it.