By specifying the name of another SMB server
or Active Directory domain controller with this option,
and using security = [ads|domain|server]
it is possible to get Samba
to do all its username/password validation using a specific remote server.
If the security parameter is set to
domain or ads, then this option
should not be used, as the default '*' indicates to Samba
to determine the best DC to contact dynamically, just as all other hosts in an
AD domain do. This allows the domain to be maintained without modification to
the smb.conf file. The cryptograpic protection on the authenticated RPC calls
used to verify passwords ensures that this default is safe.
It is strongly recommended that you use the
default of '*', however if in your particular
environment you have reason to specify a particular DC list, then
the list of machines in this option must be a list of names or IP
addresses of Domain controllers for the Domain. If you use the
default of '*', or list several hosts in the password server option then smbd will try each in turn till it
finds one that responds. This is useful in case your primary
server goes down.
If the list of servers contains both names/IP's and the '*'
character, the list is treated as a list of preferred
domain controllers, but an auto lookup of all remaining DC's
will be added to the list as well. Samba will not attempt to optimize
this list by locating the closest DC.
If parameter is a name, it is looked up using the
parameter and so may resolved
by any method and order described in that parameter.
If the security parameter is
set to server, these additional restrictions apply:
You may list several password servers in
the password server parameter, however if an
smbd makes a connection to a password server,
and then the password server fails, no more users will be able
to be authenticated from this smbd. This is a
restriction of the SMB/CIFS protocol when in security = server
mode and cannot be fixed in Samba.
You will have to ensure that your users
are able to login from the Samba server, as when in
security = server mode the network logon will appear to
come from the Samba server rather than from the users workstation.
The client must not select NTLMv2 authentication.
The password server must be a machine capable of using
the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
user level security mode.
Using a password server means your UNIX box (running
Samba) is only as secure as (a host masqurading as) your password server. DO NOT
CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST.
Never point a Samba server at itself for password serving.
This will cause a loop and could lock up your Samba server!
The name of the password server takes the standard
substitutions, but probably the only useful one is %m
, which means the Samba server will use the incoming
client as the password server. If you use this then you better
trust your clients, and you had better restrict them with hosts allow!
security
*
NT-PDC, NT-BDC1, NT-BDC2, *
windc.mydomain.com:389 192.168.1.101 *