samba - Oct 2004 - does SECURITY=ADS fall back to the smbpasswd file?

Hi Samba List,

I'm trying to upgrade from Samba 2.2.11 to 3.0.7.  I'm
using the SECURITY = ADS option and I have the winbind
stuff working fine.  I have joined the windows domain and
authenticate my NT users perfectly.

However, some of my users don't have NT accounts, so they access
their samba share using local accounts in the smbpasswd file.  Samba
2.2 (with SECURITY = DOMAIN) used to fall back to the smbpasswd file
after trying to authenticate the user from the PDC and this was
exactly how we wanted it.

But my Samba 3 doesn't do this.  Is it supposed to?  Or do i have
to turn this function on with some configuration option that I have
missed?

Thanks,

Tim.


My config:

[global]
deadtime = 10
encrypt passwords = yes
share modes = yes
server string = dWeb samba server %h
max log size = 200000
available = yes
bind interfaces only = yes
browseable = no
case sensitive = no
comment = dWeb samba server
follow symlinks = yes
max smbd processes = 200
invalid users = root
load printers = no
log level = 2
read only = yes
veto files = /content/.ssh/sys/stats/

; file/directory creation modes - no other access, web server runs in group
create mask = 0000
directory mask = 0000
force create mode = 0640
force directory mode = 0750
security mask = 0750

security = ADS
realm = xx.xx.xx.COM
workgroup = xxx
allow trusted domains = yes
encrypt passwords = yes

winbind separator = +
winbind uid = 25534-65534
winbind enum users = no
winbind gid = 25534-65534
winbind enum groups = no
winbind cache time = 60
winbind use default domain = yes
use spnego = yes

; security settings
lanman auth = no
client lanman auth = no
ntlm auth = no
client plaintext auth = no
disable netbios = yes
min protocol = NT1

; don't use wins
wins support = no
name resolve order = lmhosts host

; The following parameters are required by DB samba guidelines
wide links = no
local master = no
domain master = no
preferred master = no
os level = 0

; include dynamic configuration
include = /samba/lib/smb.conf.dynamic

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim wrote:
| Hi Samba List,
|
| I'm trying to upgrade from Samba 2.2.11 to 3.0.7.  I'm
| using the SECURITY = ADS option and I have the winbind
| stuff working fine.  I have joined the windows domain and
| authenticate my NT users perfectly.
|
| However, some of my users don't have NT accounts, so they access
| their samba share using local accounts in the smbpasswd file.  Samba
| 2.2 (with SECURITY = DOMAIN) used to fall back to the smbpasswd file
| after trying to authenticate the user from the PDC and this was
| exactly how we wanted it.
|
| But my Samba 3 doesn't do this.  Is it supposed to?  Or do i have
| to turn this function on with some configuration option that I have
| missed?

Each auth method (winbind, sam, etc...) is associated
with a domain.  For example, the local machine domain
or the domain to which the server is joined.  Once an
auth method reports NT_STATUS_LOGON_FAILURE, no other
auth method will be tried.

So the short answer is no, smbd will not fall back to
smbpasswd in Samba 3.





cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot
(2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBdPa9IR7qMdg1EfYRAkOmAJ4u0X6WUafY+DaJI/EwXiWnDvYwZwCeMj/I
AX/NsHf07D2pmU+UYfWZhP0=yH+P
-----END PGP SIGNATURE-----