Web lists-archives.com

Re: [Samba] [samba] file server: %U or %u?




PS: the short way to explain %u is adding domain/workgroup to username is
the fact we are using trust relationship?

2017-08-31 16:08 GMT+02:00 mathias dufresne <infractory@xxxxxxxxx>:

>
>
> 2017-08-31 15:54 GMT+02:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
> :
>
>> On Thu, 31 Aug 2017 15:28:57 +0200
>> mathias dufresne via samba <samba@xxxxxxxxxxxxxxx> wrote:
>>
>> > Hi all,
>> >
>> > Here there are trust relationship between domains.
>> > On some file server using Samba 4.4.4 (Centos 7) I must set up my
>> > shares using %U. When using %u the directory which is accessed is
>> > /path/to/share/OUR_DOMAIN\username rather
>> > than /path/to/share/username.
>> >
>> > Initially I thought it could be solved by using:
>> >   winbind use default domain = yes
>> > associated with:
>> >   workgroup = OUR_DOMAIN
>> > but that change only how users are generated by Winbind (or at least
>> > that's how I feel it :)
>> >
>> > And as smb.conf manpage tells:
>> >  %U
>> >            session username (the username that the client wanted, not
>> > necessarily the same as the one they got).
>> >
>> > I feel like it could be nice (because perhaps more secure) to use
>> > %u...
>>
>> You mention 'trust' and then 'winbind use default domain', I am very
>> sure you cannot use the two together.
>>
>
> It works to remove domain name from user lines in getent.
> Without 'winbind use default domain' user lines are like:
> DOMAIN\username:x:UID:GID.....
> with 'winbind use default domain' user lines are like:
> username:x:UID:GID.....
>
> Now I understand from what you said that there will be problems once some
> users from others domains would try to access these shares. Especially if
> there are users with same sAMAccountName on several domains.
>
>
>>
>> I don't actually think you need to set either, I think you just need to
>> use something like 'path/to/share/%D/users/'
>> See the wiki page for more info:
>>
>> https://wiki.samba.org/index.php/User_Home_Folders
>
>
> I will read that carefully but, 'cause there's a but: my client refuse to
> change anything....
> If this behaviour is fathered by trust relationships, they'll certainly
> keep using %U and avoid clients from others domain than the default one...
>
>
>>
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba