|
Note
SMB/CIFS servers that register the DOMAIN<1C> name do so because they provide the network logon
service. Server that register the DOMAIN<1B> name are DMBs meaning that they are responsible
for browse list synchronization across all machines that have registered the DOMAIN<1D> name. The later
are LMBs that have the responsibility to listen to all NetBIOS name registrations that occur locally to their
own network segment. The network logon service (NETLOGON) is germane to domain control and has nothing to do
with network browsing and browse list management. The 1C and 1B/1D name services are orthogonal to each
other.
Now back to the issue of configuring a Samba domain controller to use a mode other than
security = user. If a Samba host is configured to use another SMB server or domain
controller in order to validate user connection requests, it is a fact that some other machine on the network
(the
password server) knows more about the user than the Samba host. About 99 percent
of the time, this other host is a domain controller. Now to operate in domain mode security, the
workgroup parameter must be set to the name of the Windows NT domain (which already
has a domain controller). If the domain does not already have a domain controller, you do not yet have a
domain.
Configuring a Samba box as a domain controller for a domain that already by definition has a
PDC is asking for trouble. Therefore, you should always configure the Samba domain controller
to be the DMB for its domain and set
security = user.
This is the only officially supported mode of operation.
|
