`allow trusted domains = no` and `Unix Users`
asn at samba.org
Mon Sep 4 12:33:21 UTC 2023
On Monday, 4 September 2023 11:38:11 CEST Rowland Penny via samba-technical
> On Mon, 04 Sep 2023 11:07:10 +0200
> Andreas Schneider via samba-technical <samba-technical at lists.samba.org>
> > Hello,
> > I have a user who set `allow trusted domains = no` in his smb.conf.
> > He also set `force user = localuser` on a share. However he is not
> > able to connect to the local share:
> > [2023/07/27 12:31:43.434346, 3, pid=1019460, effective(0, 0),
> > real(0, 0)] ../../source3/lib/util_names.c:84(is_allowed_domain)
> > is_allowed_domain: Not trusted domain 'UNIX USER'
> > [2023/07/27 12:31:43.434350, 3, pid=1019460, effective(0, 0),
> > real(0, 0),
> > class=auth] ../../source3/auth/auth_util.c:492(create_local_token)
> > create_local_token: Authentication failed for user [cortexuser] from
> > firewalled domain [UNIX USER]
> > The change was introduced by df5fe2d835169161d3930acf1e9c750dd2bc64b6
> > Is it by intention that local unix users fall into the "trusted
> > domain" category or is this a bug?
> > Best regards
> > Andreas
> Stop me if I am wrong, but doesn't 'allow trusted domains = no' mean
> that you only trust the domain that the computer is part of, so local
> users will not be part of that domain.
local users are not part of any domain as they are local to the machine.
However you can map domain users to local users.
The allow trusted domains documentation says:
If it is set to no, then attempts to connect to a resource from a domain or
workgroup other than the one which smbd is running in will fail, even if that
domain is trusted by the remote server doing the authentication.
'Unix Users' is a special domain for local users and smbd is running in that
domain too. It is a local domain.
> Also, as I understand it, if you are trying to connect to the share as
> a local user that the domain knows nothing about, you will be denied access,
> but if you connect to the share as a known user and 'force user =
> localuser' is in the share, then everything would end up belonging to
You do not connect as a local user, you do connect as a domain user however
all share operations will happen under the user you specify with "focre user".
Andreas Schneider asn at samba.org
Samba Team www.samba.org
More information about the samba-technical