By specifying the name of another SMB server or Active Directory domain controller with this option, and using security = [ads|domain|server] it is possible to get Samba to do all its username/password validation using a specific remote server. If the security parameter is set to domain or ads, then this option should not be used, as the default '*' indicates to Samba to determine the best DC to contact dynamically, just as all other hosts in an AD domain do. This allows the domain to be maintained without modification to the smb.conf file. The cryptograpic protection on the authenticated RPC calls used to verify passwords ensures that this default is safe. It is strongly recommended that you use the default of '*', however if in your particular environment you have reason to specify a particular DC list, then the list of machines in this option must be a list of names or IP addresses of Domain controllers for the Domain. If you use the default of '*', or list several hosts in the password server option then smbd will try each in turn till it finds one that responds. This is useful in case your primary server goes down. If the list of servers contains both names/IP's and the '*' character, the list is treated as a list of preferred domain controllers, but an auto lookup of all remaining DC's will be added to the list as well. Samba will not attempt to optimize this list by locating the closest DC. If parameter is a name, it is looked up using the parameter and so may resolved by any method and order described in that parameter. If the security parameter is set to server, these additional restrictions apply: You may list several password servers in the password server parameter, however if an smbd makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this smbd. This is a restriction of the SMB/CIFS protocol when in security = server mode and cannot be fixed in Samba. You will have to ensure that your users are able to login from the Samba server, as when in security = server mode the network logon will appear to come from the Samba server rather than from the users workstation. The client must not select NTLMv2 authentication. The password server must be a machine capable of using the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user level security mode. Using a password server means your UNIX box (running Samba) is only as secure as (a host masqurading as) your password server. DO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. Never point a Samba server at itself for password serving. This will cause a loop and could lock up your Samba server! The name of the password server takes the standard substitutions, but probably the only useful one is %m , which means the Samba server will use the incoming client as the password server. If you use this then you better trust your clients, and you had better restrict them with hosts allow! security * NT-PDC, NT-BDC1, NT-BDC2, * windc.mydomain.com:389 192.168.1.101 *