[Samba] SAMBA 4 "username" parameter
robert at marcanoonline.com
Tue Oct 20 15:19:57 UTC 2020
On 10/20/20 10:50 AM, Rowland penny via samba wrote:
> On 20/10/2020 15:36, Fernando Gonçalves wrote:
>> The "valid users" parameter already existed in version 3 of the SAMBA
>> and indicated which users were allowed to access the share.
>> The "username" parameter indicated which user should be used when it
>> was not defined at the time of mapping.
> No, 'username' was meant to be used in the same way as 'valid users',
> but for only one user (and you were also supposed to set 'only user' as
> well, but that has gone as well). Have you tried setting 'valid users =
> THE_USERS_NAME' ?
I still have some old Samba VMs for domain migration testing, and
checked the documentation of that old parameter:
Multiple users may be specified in a comma-delimited list, in
which case the supplied password will be tested against each username in
turn (left to right).
The deprecated username line is needed only when the PC is
unable to supply its own username. This is the case for the COREPLUS
protocol or where your users have different WfWg
usernames to UNIX usernames. In both these cases you may
also be better using the \\server\share%user syntax instead.
The username line is not a great solution in many cases as
it means Samba will try to validate the supplied password against each
of the usernames in the username line in turn.
This is slow and a bad idea for lots of users in case of
duplicate passwords. You may get timeouts or security breaches using
this parameter unwisely.
Samba relies on the underlying UNIX security. This parameter
does not restrict who can login, it just offers hints to the Samba
server as to what usernames might correspond to the
supplied password. Users can login as whoever they please
and they will be able to do no more damage than if they started a telnet
session. The daemon runs as the user that they
log in as, so they cannot do anything that user cannot do.
Looks like there is no workaround, it just tested the user password
(standalone servers?) on multiple usernames and select the user that
matched. valid users is more to restrict what users can connect to the
share, but it doesn't try them all with the password.
More information about the samba