Pentland G.
2003-Jan-30 10:31 UTC
[Samba] FW: Samba authentication against a windows 2000 domain.
Hi all, I've got an authentication issue with SAMBA as a member server in a Win 2000 domain, Basically I need to authenticate users against the domain. Unfortunately my clients are not all domain members so they send <something>\username not <domainname>\<username>. I need to get samba to replace whatever with the domainname or to get the clients to send the right domainname. please read on... My setup: servers: Database mechanism for synchronising NIS AD and NDS passwords - working Windows 2000 AD - working NDS tree - working Mixed UNIX setup - working using NIS as authentication mechanism Samba on IRIX, Server is NIS client ONLY sharing [homes] My setup: clients: Mixed clients including... Win 95 standalone and Novell clients Win 98 standalone and Novell clients Win 2000 and win XP, both AD members and standalone Misc Linux MACs etc. but they are of lower priority. Requirements: Support encrypted logins to Samba. Previous plain text version using NIS on server is working. What I have tried... basically security = domain smbpassword -j domainname... joined OK Now the detailed question... Domain members (2000 and XP) can authenticate OK, non domain members can't. If on non domain member you enter "domainname\username" and your password you CAN authenticate and get your home directory, unfortunately this is not desirable as some users will struggle to get used to this. Win 9x machines, when you access network shares you cannot specify domainname\username... i.e. start->run \\server\<username>you only get a password box, entering a valid password always results in logon failure. Is there a way on the server side (SAMBA) to specify that all usernames get authenticated as <specifieddomainname>\<suppliedusername>. As *ALL* users with only a couple of exceptions (the ones that no-one should ever log on as) exist in all of the UNIX (NIS) world, Windows AD and the NDS tree. For this reason I don't think winbindd will be any help... real users that exist on both platforms need to map to \\server\<username> and get their real homedir from the UNIX fileserver. I understand that the default for win 9x is to send the workgroup name i.e. <workgroup>\<username> There are reasons why I cannot change the workgroup name of these machines. Windows 2000 / xp seem to send <netbiosmachinename>\<username> when they or not domain members, when domain members they send <domainname>\<username> and this is the working case. Any help/suggestions would be very much appreciated. Thanks, Gary
Maybe Matching Threads
Wisdom of the Ancients
