[Samba] Mac OS and interpretation of @ in a username. Ex user at mds.xyz doesn't work on Mac OS but does on Win 10
rpenny at samba.org
Sat Feb 22 09:04:34 UTC 2020
On 21/02/2020 23:10, TomK wrote:
> On 2/21/2020 2:24 PM, Rowland penny via samba wrote:
>> On 21/02/2020 19:06, torch via samba wrote:
>>> Am I missing something? I don’t see where you are using the ‘@‘
>>> symbol anywhere.
>>> Mac is probably interpreting the parameters “valid users” and “write
>>> list" (correctly, I think ;-) as a LIST of 3 users: joe, at, mds.xyz
>>> or bob, at, mds.xyz.
>> My question would be 'why is the OP trying to login using what
>> appears to be a UPN to something (standalone server) that doesn't use
>> kerberos ?'
>> More info required.
> Valid question.
> The target server, let's call it nfs03.nix.mds.xyz shares a path via
> both CIFS and NFS. The said server, nfs03, is Kerberized via SSSD to a
> set of FreeIPA servers. The FreeIPA servers in turn have a trust with
> the AD DC domain mds.xyz .
> nfs03 <-> FreeIPA <-> AD DC
> So joe at mds.xyz is an AD user presented via FreeIPA on nfs03.
> [root at nfs03 samba]# id joe at mds.xyz
> uid=166602204(joe at mds.xyz) gid=166602204(joe at mds.xyz)
> groups=166602204(joe at mds.xyz),1843300089(domain-users)
> [root at nfs03 samba]#
> id joe
> doesn't work of course. Doesn't exist. mds.xyz is the AD domain.
> There are other domains and other users on those different domains,
> such as drew at nix.mds.xyz, who doesn't exist in AD and is only local to
> Linux servers. We also need to distinguish a user1 at mds.xyz vs a
> user1 at nix.mds.xyz for example. So need to use the domain, at least for
> Using joe won't work in samba since it checks the OS to verify the
> user exists. So need to use joe at mds.xyz however Samba, rightly so,
> splits this string up into what it things is the user, 'joe' and host
> 'mds.xyz'. I'm looking for a way to suppress this so it doesn't split
> up joe at mds.xyz .
Using 'joe at mds.xyz' isn't going to work against a standalone samba
server (well, not unless you create a user called joe at mds.xyz on it)
because it isn't a domain member.
More information about the samba