[Samba] [samba] file server: %U or %u?
mathias dufresne
infractory at gmail.com
Thu Aug 31 14:42:02 UTC 2017
2017-08-31 16:29 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Thu, 31 Aug 2017 16:08:00 +0200
> mathias dufresne <infractory at gmail.com> wrote:
>
> > 2017-08-31 15:54 GMT+02:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > > On Thu, 31 Aug 2017 15:28:57 +0200
> > > mathias dufresne via samba <samba at lists.samba.org> wrote:
> > >
> > > > Hi all,
> > > >
> > > > Here there are trust relationship between domains.
> > > > On some file server using Samba 4.4.4 (Centos 7) I must set up my
> > > > shares using %U. When using %u the directory which is accessed is
> > > > /path/to/share/OUR_DOMAIN\username rather
> > > > than /path/to/share/username.
> > > >
> > > > Initially I thought it could be solved by using:
> > > > winbind use default domain = yes
> > > > associated with:
> > > > workgroup = OUR_DOMAIN
> > > > but that change only how users are generated by Winbind (or at
> > > > least that's how I feel it :)
> > > >
> > > > And as smb.conf manpage tells:
> > > > %U
> > > > session username (the username that the client wanted,
> > > > not necessarily the same as the one they got).
> > > >
> > > > I feel like it could be nice (because perhaps more secure) to use
> > > > %u...
> > >
> > > You mention 'trust' and then 'winbind use default domain', I am very
> > > sure you cannot use the two together.
> > >
> >
> > It works to remove domain name from user lines in getent.
> > Without 'winbind use default domain' user lines are like:
> > DOMAIN\username:x:UID:GID.....
> > with 'winbind use default domain' user lines are like:
> > username:x:UID:GID.....
> >
> > Now I understand from what you said that there will be problems once
> > some users from others domains would try to access these shares.
> > Especially if there are users with same sAMAccountName on several
> > domains.
> >
> >
> > >
> > > I don't actually think you need to set either, I think you just
> > > need to use something like 'path/to/share/%D/users/'
> > > See the wiki page for more info:
> > >
> > > https://wiki.samba.org/index.php/User_Home_Folders
> >
> >
> > I will read that carefully but, 'cause there's a but: my client
> > refuse to change anything....
> > If this behaviour is fathered by trust relationships, they'll
> > certainly keep using %U and avoid clients from others domain than the
> > default one...
> >
>
> They don't need to change anything, without 'winbind use default
> domain' when a user called 'fred' connects from DOMAINA, he will be
> seen as 'DOMAINA\fred' but if a user called fred connects from
> DOMAINB, he will be seen as 'DOMAINB\fred'. Samba should then create
> the homedir for user 'DOMAINA\fred' in '/path/to/share/DOMAINA/users'
> and the homedir for user 'DOMAINB\fred' in
> '/path/to/share/DOMAINB/users', if you use the path I posted earlier.
>
The fact is that means they must change each and every directory name at
every places where %u was used.
And that is not a small task by itself. In my own opinion it is really
doable, but not in their.
More, they use "unsecure links" and they use that awful stuff heavily. That
means renaming directories implies rebuild all links. Here again, a task
they don't want to do. Here again, I proposed some ways to managed them
relatively easily, which was refused.
I do understand that's not state of art but I'm not responsible of what
they do, it's their IT, not mine. I'm giving advices, they do whatever they
want with them...
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list