By specifying the name of another SMB server
or Active Directory domain controller with this option,
and using security = [ads|domain|server]
it is possible to get Samba to
to do all its username/password validation using a specific remote server.This option sets the name or IP address of the password server to use.
New syntax has been added to support defining the port to use when connecting
to the server the case of an ADS realm. To define a port other than the
default LDAP port of 389, add the port number using a colon after the
name or IP address (e.g. 192.168.1.100:389). If you do not specify a port,
Samba will use the standard LDAP port of tcp/389. Note that port numbers
have no effect on password servers for Windows NT 4.0 domains or netbios
connections.If parameter is a name, it is looked up using the
parameter name
resolve order and so may resolved
by any method and order described in that parameter.The password server must be a machine capable of using
the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in
user level security mode.Using a password server means your UNIX box (running
Samba) is only as secure as your password server. DO NOT
CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST.
Never point a Samba server at itself for password serving.
This will cause a loop and could lock up your Samba server!The name of the password server takes the standard
substitutions, but probably the only useful one is %m
, which means the Samba server will use the incoming
client as the password server. If you use this then you better
trust your clients, and you had better restrict them with hosts allow!If the security parameter is set to
domain or ads, then the list of machines in this
option must be a list of Primary or Backup Domain controllers for the
Domain or the character '*', as the Samba server is effectively
in that domain, and will use cryptographically authenticated RPC calls
to authenticate the user logging on. The advantage of using
security = domain is that if you list several hosts in the
password server option then smbd
will try each in turn till it finds one that responds. This
is useful in case your primary server goes down.If the password server option is set
to the character '*', then Samba will attempt to auto-locate the
Primary or Backup Domain controllers to authenticate against by
doing a query for the name WORKGROUP<1C>
and then contacting each server returned in the list of IP
addresses from the name resolution source. If the list of servers contains both names/IP's and the '*'
character, the list is treated as a list of preferred
domain controllers, but an auto lookup of all remaining DC's
will be added to the list as well. Samba will not attempt to optimize
this list by locating the closest DC.If the security parameter is
set to server, then there are different
restrictions that security = domain doesn't
suffer from:You may list several password servers in
the password server parameter, however if an
smbd makes a connection to a password server,
and then the password server fails, no more users will be able
to be authenticated from this smbd. This is a
restriction of the SMB/CIFS protocol when in security = server
mode and cannot be fixed in Samba.If you are using a Windows NT server as your
password server then you will have to ensure that your users
are able to login from the Samba server, as when in
security = server mode the network logon will appear to
come from there rather than from the users workstation.securityNT-PDC, NT-BDC1, NT-BDC2, *windc.mydomain.com:389 192.168.1.101 **