[Samba] Mac OS and interpretation of @ in a username. Ex user at mds.xyz doesn't work on Mac OS but does on Win 10

Rowland penny rpenny at samba.org
Sat Feb 22 09:04:34 UTC 2020

On 21/02/2020 23:10, TomK wrote:
> On 2/21/2020 2:24 PM, Rowland penny via samba wrote:
>> On 21/02/2020 19:06, torch via samba wrote:
>>> Am I missing something?  I don’t see where you are using the ‘@‘ 
>>> symbol anywhere.
>>> Mac is probably interpreting the parameters “valid users” and “write 
>>> list" (correctly, I think ;-) as a LIST of 3 users: joe, at, mds.xyz 
>>> or bob, at, mds.xyz.
>>> torch
>> My question would be 'why is the OP trying to login using what 
>> appears to be a UPN to something (standalone server) that doesn't use 
>> kerberos ?'
>> More info required.
>> Rowland
> Valid question.
> The target server, let's call it nfs03.nix.mds.xyz shares a path via 
> both CIFS and NFS. The said server, nfs03, is Kerberized via SSSD to a 
> set of FreeIPA servers.  The FreeIPA servers in turn have a trust with 
> the AD DC domain mds.xyz .
> nfs03 <-> FreeIPA <-> AD DC
> So joe at mds.xyz is an AD user presented via FreeIPA on nfs03.
> [root at nfs03 samba]# id joe at mds.xyz
> uid=166602204(joe at mds.xyz) gid=166602204(joe at mds.xyz) 
> groups=166602204(joe at mds.xyz),1843300089(domain-users)
> [root at nfs03 samba]#
> Running
> id joe
> doesn't work of course.  Doesn't exist.   mds.xyz is the AD domain.  
> There are other domains and other users on those different domains, 
> such as drew at nix.mds.xyz, who doesn't exist in AD and is only local to 
> Linux servers.  We also need to distinguish a user1 at mds.xyz vs a 
> user1 at nix.mds.xyz for example. So need to use the domain, at least for 
> now.
> Using joe won't work in samba since it checks the OS to verify the 
> user exists.  So need to use joe at mds.xyz however Samba, rightly so, 
> splits this string up into what it things is the user, 'joe' and host 
> 'mds.xyz'.  I'm looking for a way to suppress this so it doesn't split 
> up joe at mds.xyz .
Using 'joe at mds.xyz' isn't going to work against a standalone samba 
server (well, not unless you create a user called joe at mds.xyz on it) 
because it isn't a domain member.


More information about the samba mailing list