Samba NT Authentication Security Question

Dries, Joseph joseph.dries at
Thu Oct 1 19:11:36 GMT 1998


I have an issue that just surfaced with our Network Appliance Filer, and
since it's so similar to Samba, I had to start asking myself the question
regarding samba. Since I couldn't come up with a good enough answer here, or
in the ml-archive, I'm asking here.

The situation is regarding NT account authentication to UNIX boxes using
/etc/smbusers (/etc/usermap.cfg on NetApp filer). The problem on the NetApp
is as follows: It uses the /etc/usermap.cfg to map NT account names to UNIX
account names (for uid permissions on the fs, etc.) In this configuration,
it is similar to running Samba in "security = domain", "password server =
ntpdc" mode, which is exactly how I have samba configured. However, when
sharing out the CIFS.home_dir option, the NetApp filer uses the NT account
name to match the home directory, not the mapped UNIX account name. Very
inconsistent, both with the security scheme and the documentation.

That aside, their comment was that any directory that matches the NT account
name, and has access via the UNIX account name will work with the
CIFS.home_dir option.

On the NetApp filer's /etc/usermap.cfg file you can map ntuser to uuser, or
DOMAIN\ntuser to uuser. This flexibility of specifying a specific domain
account to UNIX user is infinitely more flexible and secure than the current
Samba scheme, where it just matches name for name, or name listed in the
/etc/smbusers. I was told previously on this list that this feature might
make it into Samba 2.x. I hope it does.

The problem, if not immediately obvious, is this: If the domain that the
NetApp filer and Samba servers reside trust other domains; any account in
those trusted domains that matches the UNIX account will immediately gain
access to the UNIX fs files. This isn't necessarily (and in the case of my
company's situation, definitely not) what is wanted.

The question, after all that background is: Is/will there be a way to
explicitly restrict access and authentication to Samba servers to those
accounts listed in the /etc/smbusers file? Hopefully that will be coupled
with the DOMAIN\ntuser definition/syntax, allowing me to do the following:

Samba server is in RES domain.
There exists a juser in RES domain. There is a juser in the ACCT1 domain,
and a jquser in ACCT4 domain. The NT user that should be mapped to the UNIX
juser is ACCT4\jquser. That currently works, via /etc/smbusers, but if
RES\juser and ACCT1\juser tried to open the Samba server, they too would
have access to everything owned by ACCT4\jquser.

Hopefully if there was an option for explicitly defined users, every share
that did not allow guests would only allow those users, as mapped and
defined in /etc/smbusers, to authenticate and access those shares.

As it is now, with Samba, all three accounts can access those files. (With
the Network Appliance, believe it or not, all three accounts would have
access to files owned by the UNIX account juser, but for ACCT4\jquser, no
home share would be available since the NT name does not match the UNIX fs
mount point.)

Am I missing something? Is something in the works for a future alpha/beta
release? Or is my situation so unique that this doesn't require addressing?


Joseph F. Dries III
Lockheed Martin / EIS
Government Electronic Systems / IT&P
   Advanced Technology/OS Group
mailto:joseph.dries at

More information about the samba-ntdom mailing list