`allow trusted domains = no` and `Unix Users`
Rowland Penny
rpenny at samba.org
Mon Sep 4 13:05:40 UTC 2023
On Mon, 04 Sep 2023 14:33:21 +0200
Andreas Schneider <asn at samba.org> wrote:
> On Monday, 4 September 2023 11:38:11 CEST Rowland Penny via
> samba-technical wrote:
> > On Mon, 04 Sep 2023 11:07:10 +0200
> > Andreas Schneider via samba-technical
> > <samba-technical at lists.samba.org>
> >
> > wrote:
> > > Hello,
> > >
> > > I have a user who set `allow trusted domains = no` in his
> > > smb.conf. He also set `force user = localuser` on a share.
> > > However he is not able to connect to the local share:
> > >
> > > [2023/07/27 12:31:43.434346, 3, pid=1019460, effective(0, 0),
> > > real(0, 0)] ../../source3/lib/util_names.c:84(is_allowed_domain)
> > >
> > > is_allowed_domain: Not trusted domain 'UNIX USER'
> > >
> > > [2023/07/27 12:31:43.434350, 3, pid=1019460, effective(0, 0),
> > > real(0, 0),
> > > class=auth] ../../source3/auth/auth_util.c:492(create_local_token)
> > > create_local_token: Authentication failed for user [cortexuser]
> > > from firewalled domain [UNIX USER]
> > >
> > > The change was introduced by
> > > df5fe2d835169161d3930acf1e9c750dd2bc64b6
> > >
> > > Is it by intention that local unix users fall into the "trusted
> > > domain" category or is this a bug?
> > >
> > >
> > > Best regards
> > >
> > > Andreas
> >
> > Stop me if I am wrong, but doesn't 'allow trusted domains = no' mean
> > that you only trust the domain that the computer is part of, so
> > local users will not be part of that domain.
>
> local users are not part of any domain as they are local to the
> machine. However you can map domain users to local users.
My understanding is that you would require something like idmap_nss to
map local users to domain users, so if this is the case, wouldn't
this mean that you couldn't have any domain users on the machine if
they were not also local users ?
>
> The allow trusted domains documentation says:
>
> If it is set to no, then attempts to connect to a resource from a
> domain or workgroup other than the one which smbd is running in will
> fail, even if that domain is trusted by the remote server doing the
> authentication.
> 'Unix Users' is a special domain for local users and smbd is running
> in that domain too. It is a local domain.
I think you might find that 'Unix Users' is actually a workgroup.
>
> > Also, as I understand it, if you are trying to connect to the share
> > as a local user that the domain knows nothing about, you will be
> > denied access, but if you connect to the share as a known user and
> > 'force user = localuser' is in the share, then everything would end
> > up belonging to 'localuser'
>
> You do not connect as a local user, you do connect as a domain user
> however all share operations will happen under the user you specify
> with "focre user".
Well, yes you do connect as a local user, it is just that Samba maps
a domain user to a local user. In a domain, using something like
idmap_rid, the domain users become local users, hence 'getent passwd'
will display a domain users Unix details.
My feelings are that if 'allow trusted domains = no' is set, then it
should do what it says, only trust the domain set in smb.conf, 'Unix
Users, is not set in smb.conf, so it should not be allowed.
Rowland
More information about the samba-technical
mailing list