By specifying the name of another SMB server (such as a WinNT box) with this option, and using security = domain or security = server you can get Samba to do all its username/password validation via a remote server. This option sets the name of the password server to use. It must be a NetBIOS name, so if the machine's NetBIOS name is different from its Internet name then you may have to add its NetBIOS name to the lmhosts file which is stored in the same directory as the smb.conf file. The name of the password server is looked up using the parameter name resolve order and so may resolved by any method and order described in that parameter. The password server must be a machine capable of using the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user level security mode. Using a password server means your UNIX box (running Samba) is only as secure as your password server. DO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST. Never point a Samba server at itself for password serving. This will cause a loop and could lock up your Samba server! The name of the password server takes the standard substitutions, but probably the only useful one is %m , which means the Samba server will use the incoming client as the password server. If you use this then you better trust your clients, and you had better restrict them with hosts allow! If the security parameter is set to domain, then the list of machines in this option must be a list of Primary or Backup Domain controllers for the Domain or the character '*', as the Samba server is effectively in that domain, and will use cryptographically authenticated RPC calls to authenticate the user logging on. The advantage of using security = domain is that if you list several hosts in the password server option then smbd will try each in turn till it finds one that responds. This is useful in case your primary server goes down. If the password server option is set to the character '*', then Samba will attempt to auto-locate the Primary or Backup Domain controllers to authenticate against by doing a query for the name WORKGROUP<1C> and then contacting each server returned in the list of IP addresses from the name resolution source. If the list of servers contains both names and the '*' character, the list is treated as a list of preferred domain controllers, but an auto lookup of all remaining DC's will be added to the list as well. Samba will not attempt to optimize this list by locating the closest DC. If the security parameter is set to server, then there are different restrictions that security = domain doesn't suffer from: You may list several password servers in the password server parameter, however if an smbd makes a connection to a password server, and then the password server fails, no more users will be able to be authenticated from this smbd. This is a restriction of the SMB/CIFS protocol when in security = server mode and cannot be fixed in Samba. If you are using a Windows NT server as your password server then you will have to ensure that your users are able to login from the Samba server, as when in security = server mode the network logon will appear to come from there rather than from the users workstation. See also the security parameter. Default: password server = <empty string> Example: password server = NT-PDC, NT-BDC1, NT-BDC2, * Example: password server = *