`allow trusted domains = no` and `Unix Users`

Mon Sep 4 14:07:23 UTC 2023

On Monday, 4 September 2023 15:05:40 CEST Rowland Penny via samba-technical 
wrote:
> On Mon, 04 Sep 2023 14:33:21 +0200
> 
> Andreas Schneider <asn at samba.org> wrote:
> > On Monday, 4 September 2023 11:38:11 CEST Rowland Penny via
> > 
> > samba-technical wrote:
> > > On Mon, 04 Sep 2023 11:07:10 +0200
> > > Andreas Schneider via samba-technical
> > > <samba-technical at lists.samba.org>
> > > 
> > > wrote:
> > > > Hello,
> > > > 
> > > > I have a user who set `allow trusted domains = no` in his
> > > > smb.conf. He also set `force user = localuser` on a share.
> > > > However he is not able to connect to the local share:
> > > > 
> > > > [2023/07/27 12:31:43.434346,  3, pid=1019460, effective(0, 0),
> > > > real(0, 0)] ../../source3/lib/util_names.c:84(is_allowed_domain)
> > > > 
> > > >   is_allowed_domain: Not trusted domain 'UNIX USER'
> > > > 
> > > > [2023/07/27 12:31:43.434350,  3, pid=1019460, effective(0, 0),
> > > > real(0, 0),
> > > > class=auth] ../../source3/auth/auth_util.c:492(create_local_token)
> > > > create_local_token: Authentication failed for user [cortexuser]
> > > > from firewalled domain [UNIX USER]
> > > > 
> > > > The change was introduced by
> > > > df5fe2d835169161d3930acf1e9c750dd2bc64b6
> > > > 
> > > > Is it by intention that local unix users fall into the "trusted
> > > > domain" category or is this a bug?
> > > > 
> > > > 
> > > > Best regards
> > > > 
> > > > 	Andreas
> > > 
> > > Stop me if I am wrong, but doesn't 'allow trusted domains = no' mean
> > > that you only trust the domain that the computer is part of, so
> > > local users will not be part of that domain.
> > 
> > local users are not part of any domain as they are local to the
> > machine. However you can map domain users to local users.
> 
> My understanding is that you would require something like idmap_nss to
> map local users to domain users, so if this is the case, wouldn't
> this mean that you couldn't have any domain users on the machine if
> they were not also local users ?

No, not at all, see 'force user` or `username map` options.

> 
> > The allow trusted domains documentation says:
> > 
> > If it is set to no, then attempts to connect to a resource from a
> > domain or workgroup other than the one which smbd is running in will
> > fail, even if that domain is trusted by the remote server doing the
> > authentication.
> > 
> > 'Unix Users' is a special domain for local users and smbd is running
> > in that domain too. It is a local domain.
> 
> I think you might find that 'Unix Users' is actually a workgroup.

There is nothing like this in the Windows world. It is a Samba thing ...

> > > Also, as I understand it, if you are trying to connect to the share
> > > as a local user that the domain knows nothing about, you will be
> > > denied access, but if you connect to the share as a known user and
> > > 'force user = localuser' is in the share, then everything would end
> > > up belonging to 'localuser'
> > 
> > You do not connect as a local user, you do connect as a domain user
> > however all share operations will happen under the user you specify
> > with "focre user".
> 
> Well, yes you do connect as a local user, it is just that Samba maps
> a domain user to a local user. In a domain, using something like
> idmap_rid, the domain users become local users, hence 'getent passwd'
> will display a domain users Unix details.

This has nothing to do with id mapping. Especially not the bug. The bug is 
about 'force user = localunixuser' not working.

Trusted domain is an AD term and it means normally domains having a trust. If 
you want you can says there is always a machine local trust. If you don't 
trust your local machine, you shouldn't be using it in the first place :-)

> My feelings are that if 'allow trusted domains = no' is set, then it
> should do what it says, only trust the domain set in smb.conf, 'Unix
> Users, is not set in smb.conf, so it should not be allowed.

There is no domain Unix Users in the Windows world! It is something Samba 
internal!

	Andreas

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D