[Samba] Mac OS and interpretation of @ in a username. Ex user at mds.xyz doesn't work on Mac OS but does on Win 10

TomK tomkcpr at mdevsys.com
Fri Feb 21 23:10:40 UTC 2020

On 2/21/2020 2:24 PM, Rowland penny via samba wrote:
> On 21/02/2020 19:06, torch via samba wrote:
>> Am I missing something?  I don’t see where you are using the ‘@‘ 
>> symbol anywhere.
>> Mac is probably interpreting the parameters “valid users” and “write 
>> list" (correctly, I think ;-) as a LIST of 3 users: joe, at, mds.xyz 
>> or bob, at, mds.xyz.
>> torch
> My question would be 'why is the OP trying to login using what appears 
> to be a UPN to something (standalone server) that doesn't use kerberos ?'
> More info required.
> Rowland
Valid question.

The target server, let's call it nfs03.nix.mds.xyz shares a path via 
both CIFS and NFS. The said server, nfs03, is Kerberized via SSSD to a 
set of FreeIPA servers.  The FreeIPA servers in turn have a trust with 
the AD DC domain mds.xyz .

nfs03 <-> FreeIPA <-> AD DC

So joe at mds.xyz is an AD user presented via FreeIPA on nfs03.

[root at nfs03 samba]# id joe at mds.xyz
uid=166602204(joe at mds.xyz) gid=166602204(joe at mds.xyz) 
groups=166602204(joe at mds.xyz),1843300089(domain-users)
[root at nfs03 samba]#


id joe

doesn't work of course.  Doesn't exist.   mds.xyz is the AD domain.  
There are other domains and other users on those different domains, such 
as drew at nix.mds.xyz, who doesn't exist in AD and is only local to Linux 
servers.  We also need to distinguish a user1 at mds.xyz vs a 
user1 at nix.mds.xyz for example. So need to use the domain, at least for now.

Using joe won't work in samba since it checks the OS to verify the user 
exists.  So need to use joe at mds.xyz however Samba, rightly so, splits 
this string up into what it things is the user, 'joe' and host 
'mds.xyz'.  I'm looking for a way to suppress this so it doesn't split 
up joe at mds.xyz .

"Sadly this really appears to be is a client issue.  You see there the
string Samba gets, so by the time Samba tries the process it the @ is
already interpreted and the string split.


Andrew Bartlett"

Yeah, wondering if there is a way to tell Samba NOT to split that up and treat joe at mds.xyz as a single user.  This works fine in Win 10 so I agree, it's probably a client SMB configuration issue but would like to know exactly what that config issue is.


More information about the samba mailing list