3.5 Common Errors | The Official Samba-3 HOWTO and Reference Guide, 2nd Edition

We all make mistakes. It is okay to make mistakes, as long as they are made in the right places and at the right time. A mistake that causes lost productivity is seldom tolerated, however a mistake made in a developmental test lab is expected.

Here we look at common mistakes and misapprehensions that have been the subject of discussions on the Samba mailing lists. Many of these are avoidable by doing your homework before attempting a Samba implementation. Some are the result of a misunderstanding of the English language. The English language, which has many phrases that are potentially vague and may be highly confusing to those for whom English is not their native tongue.

3.5.1 What Makes Samba a Server?

To some the nature of the Samba security mode is obvious, but entirely wrong all the same. It is assumed that security = server means that Samba will act as a server. Not so! This setting means that Samba will try to use another SMB server as its source for user authentication alone.

3.5.2 What Makes Samba a Domain Controller?

The smb.conf parameter security = domain does not really make Samba behave as a Domain Controller. This setting means we want Samba to be a Domain Member.

3.5.3 What Makes Samba a Domain Member?

Guess! So many others do. But whatever you do, do not think that security = user makes Samba act as a Domain Member. Read the manufacturer's manual before the warranty expires . See Chapter 6, Domain Membership for more information.

3.5.4 Constantly Losing Connections to Password Server

" Why does server_validate() simply give up rather than re-establish its connection to the password server? Though I am not fluent in the SMB protocol, perhaps the cluster server process passes along to its client workstation the session key it receives from the password server, which means the password hashes submitted by the client would not work on a subsequent connection whose session key would be different. So server_validate() must give up ."

Indeed. That's why security = server is at best a nasty hack. Please use security = domain; security = server mode is also known as pass-through authentication.