`allow trusted domains = no` and `Unix Users`

Andreas Schneider asn at samba.org
Mon Sep 4 12:33:21 UTC 2023 

On Monday, 4 September 2023 11:38:11 CEST Rowland Penny via samba-technical 
wrote:
> On Mon, 04 Sep 2023 11:07:10 +0200
> Andreas Schneider via samba-technical <samba-technical at lists.samba.org>
> 
> wrote:
> > Hello,
> > 
> > I have a user who set `allow trusted domains = no` in his smb.conf.
> > He also set `force user = localuser` on a share. However he is not
> > able to connect to the local share:
> > 
> > [2023/07/27 12:31:43.434346,  3, pid=1019460, effective(0, 0),
> > real(0, 0)] ../../source3/lib/util_names.c:84(is_allowed_domain)
> > 
> >   is_allowed_domain: Not trusted domain 'UNIX USER'
> > 
> > [2023/07/27 12:31:43.434350,  3, pid=1019460, effective(0, 0),
> > real(0, 0),
> > class=auth] ../../source3/auth/auth_util.c:492(create_local_token)
> > create_local_token: Authentication failed for user [cortexuser] from
> > firewalled domain [UNIX USER]
> > 
> > The change was introduced by df5fe2d835169161d3930acf1e9c750dd2bc64b6
> > 
> > Is it by intention that local unix users fall into the "trusted
> > domain" category or is this a bug?
> > 
> > 
> > Best regards
> > 
> > 	Andreas
> 
> Stop me if I am wrong, but doesn't 'allow trusted domains = no' mean
> that you only trust the domain that the computer is part of, so local
> users will not be part of that domain.

local users are not part of any domain as they are local to the machine. 
However you can map domain users to local users.

The allow trusted domains documentation says:

If it is set to no, then attempts to connect to a resource from a domain or       
workgroup other than the one which smbd is running in will fail, even if that 
domain is trusted by the remote server doing the authentication.
 
'Unix Users' is a special domain for local users and smbd is running in that 
domain too. It is a local domain.

> Also, as I understand it, if you are trying to connect to the share as
> a local user that the domain knows nothing about, you will be denied access,
> but if you connect to the share as a known user and 'force user =
> localuser' is in the share, then everything would end up belonging to
> 'localuser'

You do not connect as a local user, you do connect as a domain user however 
all share operations will happen under the user you specify with "focre user". 


	Andreas


-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list