[Samba] Mac OS and interpretation of @ in a username. Ex user at mds.xyz doesn't work on Mac OS but does on Win 10

TomK tomkcpr at mdevsys.com
Sat Feb 22 01:48:51 UTC 2020

On 2/21/2020 6:10 PM, TomK via samba wrote:
> On 2/21/2020 2:24 PM, Rowland penny via samba wrote:
>> On 21/02/2020 19:06, torch via samba wrote:
>>> Am I missing something?  I don’t see where you are using the ‘@‘ 
>>> symbol anywhere.
>>> Mac is probably interpreting the parameters “valid users” and “write 
>>> list" (correctly, I think ;-) as a LIST of 3 users: joe, at, mds.xyz 
>>> or bob, at, mds.xyz.
>>> torch
>> My question would be 'why is the OP trying to login using what appears 
>> to be a UPN to something (standalone server) that doesn't use kerberos ?'
>> More info required.
>> Rowland
> Valid question.
> The target server, let's call it nfs03.nix.mds.xyz shares a path via 
> both CIFS and NFS. The said server, nfs03, is Kerberized via SSSD to a 
> set of FreeIPA servers.  The FreeIPA servers in turn have a trust with 
> the AD DC domain mds.xyz .
> nfs03 <-> FreeIPA <-> AD DC
> So joe at mds.xyz is an AD user presented via FreeIPA on nfs03.
> [root at nfs03 samba]# id joe at mds.xyz
> uid=166602204(joe at mds.xyz) gid=166602204(joe at mds.xyz) 
> groups=166602204(joe at mds.xyz),1843300089(domain-users)
> [root at nfs03 samba]#
> Running
> id joe
> doesn't work of course.  Doesn't exist.   mds.xyz is the AD domain. 
> There are other domains and other users on those different domains, such 
> as drew at nix.mds.xyz, who doesn't exist in AD and is only local to Linux 
> servers.  We also need to distinguish a user1 at mds.xyz vs a 
> user1 at nix.mds.xyz for example. So need to use the domain, at least for now.
> Using joe won't work in samba since it checks the OS to verify the user 
> exists.  So need to use joe at mds.xyz however Samba, rightly so, splits 
> this string up into what it things is the user, 'joe' and host 
> 'mds.xyz'.  I'm looking for a way to suppress this so it doesn't split 
> up joe at mds.xyz .

Therefore, yes, UPN.

> "Sadly this really appears to be is a client issue.  You see there the
> string Samba gets, so by the time Samba tries the process it the @ is
> already interpreted and the string split.
> Sorry!
> Andrew Bartlett"
> Yeah, wondering if there is a way to tell Samba NOT to split that up and 
> treat joe at mds.xyz as a single user.  This works fine in Win 10 so I 
> agree, it's probably a client SMB configuration issue but would like to 
> know exactly what that config issue is.

  + or what paramaters I could change to ensure the string isn't split up.


More information about the samba mailing list