diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2002-03-03 03:56:53 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2002-03-03 03:56:53 +0000 |
| commit | 4941e64fe043d755ec0068b540a9ed7264a9a38d (patch) | |
| tree | e8952461d455841de3780d818bed10c092784834 /source3/include/ntdomain.h | |
| parent | 81f66464b062df5fcfed41dbace8d37836b16e34 (diff) | |
| download | samba-4941e64fe043d755ec0068b540a9ed7264a9a38d.tar.gz samba-4941e64fe043d755ec0068b540a9ed7264a9a38d.tar.bz2 samba-4941e64fe043d755ec0068b540a9ed7264a9a38d.zip | |
This patch allows NT4 domains to trust Samba.
Simply add an account (smbpasswd -a -i REMOTEDOM) and join with 'user manager'
on the remote domain.
The only issue (at the auth level at least) that prevented NT4 domains from
trusting Samba was that our netlogon code was based on what appear to be
invalid assumptions.
The netlogon code appears to assume that the 'client name' specified
corrosponds to an account of the same form. This doesn't apply in trusted
domains, becouse the account is in the form domain$
Now that we use the supplied account name, and no longer make our access
control checks at the challange stage (where this info is unavailable) we
match the Win2k behaviour for invalid machine logins, and don't need to know
the names of PDCs/BDCs in trusting domains.
We also kill off the 'you logged on with a machine account, use your user
account' error message, becouse the previous NT_STATUS return was compleatly
bogus. (The ACCESS_DENIED we now return matches Win2k, and gives snane error
messages on the client).
TNG doesn't use this and has to do magic password syncs between the various
accounts for domain/pdc/bdc. This patch feels like the much more natural way
of doing things, and has been mildly tested.
Andrew Bartlett
(This used to be commit 542673fcd6654a1d0966dddadde177a4c4ce135d)
Diffstat (limited to 'source3/include/ntdomain.h')
0 files changed, 0 insertions, 0 deletions