[Samba] [samba] file server: %U or %u?

Rowland Penny rpenny at samba.org
Thu Aug 31 14:29:06 UTC 2017


On Thu, 31 Aug 2017 16:08:00 +0200
mathias dufresne <infractory at gmail.com> wrote:

> 2017-08-31 15:54 GMT+02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> 
> > On Thu, 31 Aug 2017 15:28:57 +0200
> > mathias dufresne via samba <samba at lists.samba.org> wrote:
> >
> > > Hi all,
> > >
> > > Here there are trust relationship between domains.
> > > On some file server using Samba 4.4.4 (Centos 7) I must set up my
> > > shares using %U. When using %u the directory which is accessed is
> > > /path/to/share/OUR_DOMAIN\username rather
> > > than /path/to/share/username.
> > >
> > > Initially I thought it could be solved by using:
> > >   winbind use default domain = yes
> > > associated with:
> > >   workgroup = OUR_DOMAIN
> > > but that change only how users are generated by Winbind (or at
> > > least that's how I feel it :)
> > >
> > > And as smb.conf manpage tells:
> > >  %U
> > >            session username (the username that the client wanted,
> > > not necessarily the same as the one they got).
> > >
> > > I feel like it could be nice (because perhaps more secure) to use
> > > %u...
> >
> > You mention 'trust' and then 'winbind use default domain', I am very
> > sure you cannot use the two together.
> >
> 
> It works to remove domain name from user lines in getent.
> Without 'winbind use default domain' user lines are like:
> DOMAIN\username:x:UID:GID.....
> with 'winbind use default domain' user lines are like:
> username:x:UID:GID.....
> 
> Now I understand from what you said that there will be problems once
> some users from others domains would try to access these shares.
> Especially if there are users with same sAMAccountName on several
> domains.
> 
> 
> >
> > I don't actually think you need to set either, I think you just
> > need to use something like 'path/to/share/%D/users/'
> > See the wiki page for more info:
> >
> > https://wiki.samba.org/index.php/User_Home_Folders
> 
> 
> I will read that carefully but, 'cause there's a but: my client
> refuse to change anything....
> If this behaviour is fathered by trust relationships, they'll
> certainly keep using %U and avoid clients from others domain than the
> default one...
> 

They don't need to change anything, without 'winbind use default
domain' when a user called 'fred' connects from DOMAINA, he will be
seen as 'DOMAINA\fred' but if a user called fred connects from
DOMAINB, he will be seen as 'DOMAINB\fred'. Samba should then create
the homedir for user 'DOMAINA\fred' in '/path/to/share/DOMAINA/users'
and the homedir for user 'DOMAINB\fred' in
'/path/to/share/DOMAINB/users', if you use the path I posted earlier.

Rowland




More information about the samba mailing list