[Samba] username map with “security = ads”

Rowland Penny rpenny at samba.org
Thu May 2 15:54:01 UTC 2019

On Thu, 2 May 2019 17:27:27 +0200
Philipp Gesang via samba <samba at lists.samba.org> wrote:

> Hi Louis!
> -<| Quoting L.P.H. van Belle via samba <belle at bazuin.nl>, on
> Thursday, 2019-05-02 03:15:46 PM |>-
> > Not tested, just brain farts ;-)
> > 
> > Setup a member, Allow guest access.  ( in global : guest ok = yes ) 
> > This allow local users to access the server ( not shares ) 
> > 
> > On the shares 
> > Deny "domain users" and/or authenticated users. 
> > Allow the local group for local users.   
> Not sure if I follow. Is this what you imagined:

What Louis is suggesting is similar to what I suggested, but you will
need 'map to guest = Bad User' in global and 'guest ok = yes' in any

>     [global]
>     guest ok = yes
>>     [someshare]
>     valid users = @shareusers

> ? I’m not seeing any config option to reject access by all domain
> users.

      invalid users = @domain\ users

There is a slight problem with this, all files and directories in the
share would end up belonging to the guest user (usually 'nobody').
There is also a possibility (if 'invalid users' works like 'valid
users') that your local users will be rejected by the shares.
By the time the user gets to the share it is authenticated, either as
an authenticated (domain) user or as a guest user. If you set 'valid
users' then only the specific users(s) will be allowed access, if a
group is set, then only members of the group will be allowed access. If
a guest user request access to a share with 'valid users = @shareusers'
set, they will not be allowed access, as by this time they are NOT
members of 'sharemembers', even if the original user is.


> > Not tested but technicaly is could work. 
> > Which is almost the same as a standalone with and without user
> > authentication.   
> We’re testing the split config setup right now, let’s see how
> this works out.
> Thanks!
> Philipp

More information about the samba mailing list