SAMBA and XP

Dave Ihnat ignatz at dminet.com
Wed Feb 23 13:49:10 UTC 2005 

On Wed, Feb 23, 2005 at 07:51:25AM -0500, Marty Landman wrote:
> Looking further down, I must be honest in saying don't even know what a 
> domain is. I use Samba to access shares from network 'nix boxes from 
> Windows boxes /only/.

In Windows, when you're a member of a Domain, you sent your authentication
request to a Domain Controller.  If your login/password are authenticated,
your machine/session is issued an authentiction token that is used
thereafter to determine your rights to access domain-accessible shares
(directories, printers, etc.)  There are other features as well--the
Domain Administrator can assign login (and logout) scripts, define
the home directory and drive mapping, and specify the off-workstation
storage location for profile information (roaming profiles).  A Group
Policy can be promulgated from the Domain Controller that specifies
a number of behavioral characteristics of workstations in the domain.
(Yes, this is greatly simplified.)

Windows XP Home simply can't do this--it can't "join" the domain, and
can't participate in the authentication process.  BUT it can be set to be
in the Workgroup that is the cognate of the Active Directory domain name
(e.g., corp.mycompany.com has a workgroup cognate of, say, MYCOMPANY).
(No, cognate isn't Microsoft's word for it--I can't remember the proper
terminology before coffee.)

When it tries to access a Domain resource--typically a printer or file
share--and it's not authenticated, it will be queried for its credentials.
It will, by default, provide the login/password of the current session.
If those fail, you should be prompted for a login/password pair that exist
in the Domain.  Thus, if you set up an account for the XP Home user in
the Domain, and give it the same name and password as the account they
use on the XP Home box, they shouldn't see anything abnormal when they
try to use Domain resources.  At the worst, give 'em an account they
can respond with when XP asks for it, and map persistent network connections
in their account.

Other problems do arise in this workaround.  Their machine can't be
managed by domain policies.  They can't have a login or logout script
assigned to their account, nor will they be assigned a home directory
or roaming profile home.  But at least they can be allowed to use shared
resources.

Cheers,
--
	Dave Ihnat
	ignatz at dminet.com

More information about the redhat-list mailing list