[Samba] [samba] file server: %U or %u?
infractory at gmail.com
Thu Aug 31 14:27:12 UTC 2017
PS: the short way to explain %u is adding domain/workgroup to username is
the fact we are using trust relationship?
2017-08-31 16:08 GMT+02:00 mathias dufresne <infractory at gmail.com>:
> 2017-08-31 15:54 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>
>> On Thu, 31 Aug 2017 15:28:57 +0200
>> mathias dufresne via samba <samba at lists.samba.org> wrote:
>> > Hi all,
>> > Here there are trust relationship between domains.
>> > On some file server using Samba 4.4.4 (Centos 7) I must set up my
>> > shares using %U. When using %u the directory which is accessed is
>> > /path/to/share/OUR_DOMAIN\username rather
>> > than /path/to/share/username.
>> > Initially I thought it could be solved by using:
>> > winbind use default domain = yes
>> > associated with:
>> > workgroup = OUR_DOMAIN
>> > but that change only how users are generated by Winbind (or at least
>> > that's how I feel it :)
>> > And as smb.conf manpage tells:
>> > %U
>> > session username (the username that the client wanted, not
>> > necessarily the same as the one they got).
>> > I feel like it could be nice (because perhaps more secure) to use
>> > %u...
>> You mention 'trust' and then 'winbind use default domain', I am very
>> sure you cannot use the two together.
> It works to remove domain name from user lines in getent.
> Without 'winbind use default domain' user lines are like:
> with 'winbind use default domain' user lines are like:
> Now I understand from what you said that there will be problems once some
> users from others domains would try to access these shares. Especially if
> there are users with same sAMAccountName on several domains.
>> I don't actually think you need to set either, I think you just need to
>> use something like 'path/to/share/%D/users/'
>> See the wiki page for more info:
> I will read that carefully but, 'cause there's a but: my client refuse to
> change anything....
> If this behaviour is fathered by trust relationships, they'll certainly
> keep using %U and avoid clients from others domain than the default one...
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba