Web lists-archives.com

Re: [Samba] [samba] file server: %U or %u?




2017-08-31 15:54 GMT+02:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:

> On Thu, 31 Aug 2017 15:28:57 +0200
> mathias dufresne via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > Hi all,
> >
> > Here there are trust relationship between domains.
> > On some file server using Samba 4.4.4 (Centos 7) I must set up my
> > shares using %U. When using %u the directory which is accessed is
> > /path/to/share/OUR_DOMAIN\username rather
> > than /path/to/share/username.
> >
> > Initially I thought it could be solved by using:
> >   winbind use default domain = yes
> > associated with:
> >   workgroup = OUR_DOMAIN
> > but that change only how users are generated by Winbind (or at least
> > that's how I feel it :)
> >
> > And as smb.conf manpage tells:
> >  %U
> >            session username (the username that the client wanted, not
> > necessarily the same as the one they got).
> >
> > I feel like it could be nice (because perhaps more secure) to use
> > %u...
>
> You mention 'trust' and then 'winbind use default domain', I am very
> sure you cannot use the two together.
>

It works to remove domain name from user lines in getent.
Without 'winbind use default domain' user lines are like:
DOMAIN\username:x:UID:GID.....
with 'winbind use default domain' user lines are like:
username:x:UID:GID.....

Now I understand from what you said that there will be problems once some
users from others domains would try to access these shares. Especially if
there are users with same sAMAccountName on several domains.


>
> I don't actually think you need to set either, I think you just need to
> use something like 'path/to/share/%D/users/'
> See the wiki page for more info:
>
> https://wiki.samba.org/index.php/User_Home_Folders


I will read that carefully but, 'cause there's a but: my client refuse to
change anything....
If this behaviour is fathered by trust relationships, they'll certainly
keep using %U and avoid clients from others domain than the default one...


>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba