[Samba] SAMBA 4 "username" parameter

Robert Marcano robert at marcanoonline.com
Tue Oct 20 15:19:57 UTC 2020

On 10/20/20 10:50 AM, Rowland penny via samba wrote:
> On 20/10/2020 15:36, Fernando Gonçalves wrote:
>> The "valid users" parameter already existed in version 3 of the SAMBA 
>> and indicated which users were allowed to access the share.
>> The "username" parameter indicated which user should be used when it 
>> was not defined at the time of mapping.
> No, 'username' was meant to be used in the same way as 'valid users', 
> but for only one user (and you were also supposed to set 'only user' as 
> well, but that has gone as well). Have you tried setting 'valid users = 
> Rowland

I still have some old Samba VMs for domain migration testing, and 
checked the documentation of that old parameter:

           Multiple users may be specified in a comma-delimited list, in 
which case the supplied password will be tested against each username in 
turn (left to right).

            The deprecated username line is needed only when the PC is 
unable to supply its own username. This is the case for the COREPLUS 
protocol or where your users have different WfWg
            usernames to UNIX usernames. In both these cases you may 
also be better using the \\server\share%user syntax instead.

            The username line is not a great solution in many cases as 
it means Samba will try to validate the supplied password against each 
of the usernames in the username line in turn.
            This is slow and a bad idea for lots of users in case of 
duplicate passwords. You may get timeouts or security breaches using 
this parameter unwisely.

            Samba relies on the underlying UNIX security. This parameter 
does not restrict who can login, it just offers hints to the Samba 
server as to what usernames might correspond to the
            supplied password. Users can login as whoever they please 
and they will be able to do no more damage than if they started a telnet 
session. The daemon runs as the user that they
            log in as, so they cannot do anything that user cannot do.

Looks like there is no workaround, it just tested the user password 
(standalone servers?) on multiple usernames and select the user that 
matched. valid users is more to restrict what users can connect to the 
share, but it doesn't try them all with the password.

More information about the samba mailing list