`allow trusted domains = no` and `Unix Users`
Andreas Schneider
asn at samba.org
Mon Sep 4 14:07:23 UTC 2023
On Monday, 4 September 2023 15:05:40 CEST Rowland Penny via samba-technical
wrote:
> On Mon, 04 Sep 2023 14:33:21 +0200
>
> Andreas Schneider <asn at samba.org> wrote:
> > On Monday, 4 September 2023 11:38:11 CEST Rowland Penny via
> >
> > samba-technical wrote:
> > > On Mon, 04 Sep 2023 11:07:10 +0200
> > > Andreas Schneider via samba-technical
> > > <samba-technical at lists.samba.org>
> > >
> > > wrote:
> > > > Hello,
> > > >
> > > > I have a user who set `allow trusted domains = no` in his
> > > > smb.conf. He also set `force user = localuser` on a share.
> > > > However he is not able to connect to the local share:
> > > >
> > > > [2023/07/27 12:31:43.434346, 3, pid=1019460, effective(0, 0),
> > > > real(0, 0)] ../../source3/lib/util_names.c:84(is_allowed_domain)
> > > >
> > > > is_allowed_domain: Not trusted domain 'UNIX USER'
> > > >
> > > > [2023/07/27 12:31:43.434350, 3, pid=1019460, effective(0, 0),
> > > > real(0, 0),
> > > > class=auth] ../../source3/auth/auth_util.c:492(create_local_token)
> > > > create_local_token: Authentication failed for user [cortexuser]
> > > > from firewalled domain [UNIX USER]
> > > >
> > > > The change was introduced by
> > > > df5fe2d835169161d3930acf1e9c750dd2bc64b6
> > > >
> > > > Is it by intention that local unix users fall into the "trusted
> > > > domain" category or is this a bug?
> > > >
> > > >
> > > > Best regards
> > > >
> > > > Andreas
> > >
> > > Stop me if I am wrong, but doesn't 'allow trusted domains = no' mean
> > > that you only trust the domain that the computer is part of, so
> > > local users will not be part of that domain.
> >
> > local users are not part of any domain as they are local to the
> > machine. However you can map domain users to local users.
>
> My understanding is that you would require something like idmap_nss to
> map local users to domain users, so if this is the case, wouldn't
> this mean that you couldn't have any domain users on the machine if
> they were not also local users ?
No, not at all, see 'force user` or `username map` options.
>
> > The allow trusted domains documentation says:
> >
> > If it is set to no, then attempts to connect to a resource from a
> > domain or workgroup other than the one which smbd is running in will
> > fail, even if that domain is trusted by the remote server doing the
> > authentication.
> >
> > 'Unix Users' is a special domain for local users and smbd is running
> > in that domain too. It is a local domain.
>
> I think you might find that 'Unix Users' is actually a workgroup.
There is nothing like this in the Windows world. It is a Samba thing ...
> > > Also, as I understand it, if you are trying to connect to the share
> > > as a local user that the domain knows nothing about, you will be
> > > denied access, but if you connect to the share as a known user and
> > > 'force user = localuser' is in the share, then everything would end
> > > up belonging to 'localuser'
> >
> > You do not connect as a local user, you do connect as a domain user
> > however all share operations will happen under the user you specify
> > with "focre user".
>
> Well, yes you do connect as a local user, it is just that Samba maps
> a domain user to a local user. In a domain, using something like
> idmap_rid, the domain users become local users, hence 'getent passwd'
> will display a domain users Unix details.
This has nothing to do with id mapping. Especially not the bug. The bug is
about 'force user = localunixuser' not working.
Trusted domain is an AD term and it means normally domains having a trust. If
you want you can says there is always a machine local trust. If you don't
trust your local machine, you shouldn't be using it in the first place :-)
> My feelings are that if 'allow trusted domains = no' is set, then it
> should do what it says, only trust the domain set in smb.conf, 'Unix
> Users, is not set in smb.conf, so it should not be allowed.
There is no domain Unix Users in the Windows world! It is something Samba
internal!
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list