Web lists-archives.com

Re: [Samba] [samba] file server: %U or %u?




On Thu, 31 Aug 2017 16:42:02 +0200
mathias dufresne <infractory@xxxxxxxxx> wrote:

> 2017-08-31 16:29 GMT+02:00 Rowland Penny via samba
> <samba@xxxxxxxxxxxxxxx>:
> 
> > On Thu, 31 Aug 2017 16:08:00 +0200
> > mathias dufresne <infractory@xxxxxxxxx> wrote:
> >
> > > 2017-08-31 15:54 GMT+02:00 Rowland Penny via samba
> > > <samba@xxxxxxxxxxxxxxx>:
> > >
> > > > On Thu, 31 Aug 2017 15:28:57 +0200
> > > > mathias dufresne via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > > >
> > > > > Hi all,
> > > > >
> > > > > Here there are trust relationship between domains.
> > > > > On some file server using Samba 4.4.4 (Centos 7) I must set
> > > > > up my shares using %U. When using %u the directory which is
> > > > > accessed is /path/to/share/OUR_DOMAIN\username rather
> > > > > than /path/to/share/username.
> > > > >
> > > > > Initially I thought it could be solved by using:
> > > > >   winbind use default domain = yes
> > > > > associated with:
> > > > >   workgroup = OUR_DOMAIN
> > > > > but that change only how users are generated by Winbind (or at
> > > > > least that's how I feel it :)
> > > > >
> > > > > And as smb.conf manpage tells:
> > > > >  %U
> > > > >            session username (the username that the client
> > > > > wanted, not necessarily the same as the one they got).
> > > > >
> > > > > I feel like it could be nice (because perhaps more secure) to
> > > > > use %u...
> > > >
> > > > You mention 'trust' and then 'winbind use default domain', I am
> > > > very sure you cannot use the two together.
> > > >
> > >
> > > It works to remove domain name from user lines in getent.
> > > Without 'winbind use default domain' user lines are like:
> > > DOMAIN\username:x:UID:GID.....
> > > with 'winbind use default domain' user lines are like:
> > > username:x:UID:GID.....
> > >
> > > Now I understand from what you said that there will be problems
> > > once some users from others domains would try to access these
> > > shares. Especially if there are users with same sAMAccountName on
> > > several domains.
> > >
> > >
> > > >
> > > > I don't actually think you need to set either, I think you just
> > > > need to use something like 'path/to/share/%D/users/'
> > > > See the wiki page for more info:
> > > >
> > > > https://wiki.samba.org/index.php/User_Home_Folders
> > >
> > >
> > > I will read that carefully but, 'cause there's a but: my client
> > > refuse to change anything....
> > > If this behaviour is fathered by trust relationships, they'll
> > > certainly keep using %U and avoid clients from others domain than
> > > the default one...
> > >
> >
> > They don't need to change anything, without 'winbind use default
> > domain' when a user called 'fred' connects from DOMAINA, he will be
> > seen as 'DOMAINA\fred' but if a user called fred connects from
> > DOMAINB, he will be seen as 'DOMAINB\fred'. Samba should then create
> > the homedir for user 'DOMAINA\fred' in
> > '/path/to/share/DOMAINA/users' and the homedir for user
> > 'DOMAINB\fred' in '/path/to/share/DOMAINB/users', if you use the
> > path I posted earlier.
> >
> 
> The fact is that means they must change each and every directory name
> at every places where %u was used.
> And that is not a small task by itself. In my own opinion it is really
> doable, but not in their.
> 
> More, they use "unsecure links" and they use that awful stuff
> heavily. That means renaming directories implies rebuild all links.
> Here again, a task they don't want to do. Here again, I proposed some
> ways to managed them relatively easily, which was refused.
> 
> I do understand that's not state of art but I'm not responsible of
> what they do, it's their IT, not mine. I'm giving advices, they do
> whatever they want with them...
> 

If something goes wrong, you will be blamed for it (even if it has
nothing to do with you). If you want my opinion (and you probably
don't, so feel free to ignore it), walk away, advise them you cannot
work somewhere that ignores standard security practices.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba