David L Kindred (Dave)
2000-Sep-14 15:43 UTC
Experience with switching from User to Domain login?
Having had success with phasing in encrypted passwords using "smb.conf.%m" includes, I am thinking of trying the same trick to begin a switch from user login to domain login. Since the primary Samba machine is the one with all the nics, I intend that it should be the PDC for the resulting domain. A few NT machine are currently running in their own domain, but that is using a name the is currently no politically acceptable, and so needs to be changed anyway. So, have any of you ever attempted to phase in a change from basic user authentication to domain authentication? Is the client-specific includes the way to go? Or is there a better approach? Pointers to the obvious (like some document I haven't re-read lately) would be useful, but I don't recall much, if any, discussion of changing the authentication method once you've set one up. -- David L. Kindred d.kindred@telesciences.com Telesciences, Inc. 2000 Midlantic Drive, Suite 410 Phone: +1 856 642 4184 Mount Laurel, NJ 08054 Fax: +1 856 866 0185
On Thu, 14 Sep 2000, David L Kindred (Dave) wrote:> So, have any of you ever attempted to phase in a change from basic user > authentication to domain authentication? Is the client-specific > includes the way to go? Or is there a better approach?I don't think that there is anything that particularly needs phasing in. If you check the appropriate sections of "Using Samba"[1] you should find that most of the changes are either machine-by-machine setup anyway, or are central changes which are non-disruptive to your existing clients. Note that a Samba server running as a domain dontroller operates in security=user mode, *not* security=domain (which is for servers which will pass off authentication to a domain controller, not act as domain controllers themselves). [1] oreilly.com/catalog/samba/chapter/book/ch06_05.html (note that the text implies that Samba 2.0.x will not act as a logon server for NT clients and that you need a development version from CVS - if you ignore the warning and follow the instructions anyway then you should find that you can join your NT clients to the domain, and serve domain logins successfully, though many other domain controller functions will not work properly). Regards, -- Neil Hoggarth Departmental Computer Officer <neil.hoggarth@physiol.ox.ac.uk> Laboratory of Physiology physiol.ox.ac.uk/~njh University of Oxford, UK