</sect2>
-<sect2>
-<title>Why Is This Better Than <parameter>security = server</parameter>?</title>
-
-<para>
-<indexterm><primary>domain security</primary></indexterm>
-<indexterm><primary>UNIX users</primary></indexterm>
-<indexterm><primary>authentication</primary></indexterm>
-Currently, domain security in Samba does not free you from having to create local UNIX users to represent the
-users attaching to your server. This means that if domain user <constant>DOM\fred</constant> attaches to your
-domain security Samba server, there needs to be a local UNIX user fred to represent that user in the UNIX file
-system. This is similar to the older Samba security mode <smbconfoption
-name="security">server</smbconfoption>, where Samba would pass through the authentication request to a Windows
-NT server in the same way as a Windows 95 or Windows 98 server would.
-</para>
-
-<para>
-<indexterm><primary>winbind</primary></indexterm>
-<indexterm><primary>UID</primary></indexterm>
-<indexterm><primary>GID</primary></indexterm>
-Please refer to <link linkend="winbind">Winbind: Use of Domain Accounts</link>, for information on a system
-to automatically assign UNIX UIDs and GIDs to Windows NT domain users and groups.
-</para>
-
-<para>
-<indexterm><primary>domain-level</primary></indexterm>
-<indexterm><primary>authentication</primary></indexterm>
-<indexterm><primary>RPC</primary></indexterm>
-The advantage of domain-level security is that the authentication in domain-level security is passed down the
-authenticated RPC channel in exactly the same way that an NT server would do it. This means Samba servers now
-participate in domain trust relationships in exactly the same way NT servers do (i.e., you can add Samba
-servers into a resource domain and have the authentication passed on from a resource domain PDC to an account
-domain PDC).
-</para>
-
-<para>
-<indexterm><primary>PDC</primary></indexterm>
-<indexterm><primary>BDC</primary></indexterm>
-<indexterm><primary>connection resources</primary></indexterm>
-In addition, with <smbconfoption name="security">server</smbconfoption>, every Samba daemon on a server has to
-keep a connection open to the authenticating server for as long as that daemon lasts. This can drain the
-connection resources on a Microsoft NT server and cause it to run out of available connections. With
-<smbconfoption name="security">domain</smbconfoption>, however, the Samba daemons connect to the PDC or BDC
-only for as long as is necessary to authenticate the user and then drop the connection, thus conserving PDC
-connection resources.
-</para>
-
-<para>
-<indexterm><primary>PDC</primary></indexterm>
-<indexterm><primary>authentication reply</primary></indexterm>
-<indexterm><primary>SID</primary></indexterm>
-<indexterm><primary>NT groups</primary></indexterm>
-Finally, acting in the same manner as an NT server authenticating to a PDC means that as part of the
-authentication reply, the Samba server gets the user identification information such as the user SID, the list
-of NT groups the user belongs to, and so on.
-</para>
-
-<note>
-<para>
-Much of the text of this document was first published in the Web magazine
-<ulink url="http://www.linuxworld.com"><emphasis>LinuxWorld</emphasis></ulink> as the article <ulink
-url="http://www.linuxworld.com/linuxworld/lw-1998-10/lw-10-samba.html"/>
-<emphasis>Doing the NIS/NT Samba</emphasis>.
-</para>
-</note>
-
-</sect2>
</sect1>
<sect1 id="ads-member">
git.samba.org / metze / samba / wip.git / commitdiff