Followup on "force user = %S"

David Collier-Brown davecb at Canada.Sun.COM
Wed Jan 6 15:13:25 GMT 1999

In earlier discussion on this list, Thomas R. Stevenson was advised to
"force user = %S" in order to have a connection, for example, from 
"davecb" at a client machine to //server/xyz authenticated as the user
on the server.
  Alas, this appears to be quite different from what actually occurs in
make_connection: the connecting user is authenticated first, as "davecb"
the userid is changed to xyz.
  This is, from my limited knowledge, the "right" thing to do:
authenticate then

  However, what the user is trying to do is make the user mappings an
part of the [homes] processing, rather than exhaustively listing all the 
dos user : unix user relations in a manually maintained text file.

  I do note that the old "user = " option, when set to %S, will cause
Samba to try the "davecb" account name first, and then clear the default 
real name and continue using davecb:

su root -c 'smbclient //elsbeth/davecb'
[1999/01/06 09:15:37, 4] passdb/pass_check.c:(791)
  Checking password for user davecb (l=8)
[1999/01/06 09:15:37, 3] smbd/password.c:(192)
  davecb is in 2 groups: 10, 41
[1999/01/06 09:15:37, 3] smbd/password.c:(270)
  uid 57957 registered to name davecb
[1999/01/06 09:15:37, 3] smbd/password.c:(272)
  Clearing default real name
[1999/01/06 09:15:37, 1] smbd/service.c:(484)
  server ( connect to service davecb as user davecb
(uid=57957, gid
=10) (pid 28299)
[1999/01/06 09:15:37, 3] smbd/reply.c:(340)
  tconX service=davecb user=davecb

  I wasn't actually expecting that to work!

  This is subtly different from the documentation: the smb.conf man page
 Step 1: If the client has passed a username/password pair and
that username/password pair is validated by the UNIX system's password
programs then the connection is made as that username. Note that this
includes the tt(\\server\service%username) method of passing a

Step 2: If the client has previously registered a username...

Step 3: The client's netbios name and any previously used user
names are checked against the supplied password...

Step 4: If the client has previously validated a
username/password pair ...

Step 5: If a link(bf("user = "))(user) field is given in the
smb.conf file for the service and the client has supplied a password,
and that password matches (according to the UNIX system's password
checking) with one of the usernames from the "user="
field then the connection is made as the username in the
"user=" line.

Step 6: If the service is a guest service... 

	I'm pleased that //server/davecb%davecb works!
	I'm mildly amazed that the ordering was such that 
	user=%S worked... I had expected that one of
	the previous steps would have succeeded instead.
	Notably step 2, which I has assumed used the username
	previously sent in the SMBsesssetupX message, long before
	the SMBtconX.

	So: the questions:
	1) is //servername/service%service the canonical way
	   to connrct to service AS service?
	2) is user = %S intended to be evaluated in such a way
	   as to yeild the same behavior?
	3) shouldn't step 2 override the "user=" hack?

David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
Willowdale, Ontario   |
Work: (905) 477-0437 Home: (416) 223-8968 Email: davecb at

More information about the samba-technical mailing list