`allow trusted domains = no` and `Unix Users`
Rowland Penny
rpenny at samba.org
Mon Sep 4 14:32:57 UTC 2023
On Mon, 04 Sep 2023 16:07:23 +0200
Andreas Schneider <asn at samba.org> wrote:
> On Monday, 4 September 2023 15:05:40 CEST Rowland Penny via
> samba-technical wrote:
> > On Mon, 04 Sep 2023 14:33:21 +0200
> >
> > Andreas Schneider <asn at samba.org> wrote:
> > > On Monday, 4 September 2023 11:38:11 CEST Rowland Penny via
> > >
> > > samba-technical wrote:
> > > > On Mon, 04 Sep 2023 11:07:10 +0200
> > > > Andreas Schneider via samba-technical
> > > > <samba-technical at lists.samba.org>
> > > >
> > > > wrote:
> > > > > Hello,
> > > > >
> > > > > I have a user who set `allow trusted domains = no` in his
> > > > > smb.conf. He also set `force user = localuser` on a share.
> > > > > However he is not able to connect to the local share:
> > > > >
> > > > > [2023/07/27 12:31:43.434346, 3, pid=1019460, effective(0, 0),
> > > > > real(0,
> > > > > 0)] ../../source3/lib/util_names.c:84(is_allowed_domain)
> > > > >
> > > > > is_allowed_domain: Not trusted domain 'UNIX USER'
> > > > >
> > > > > [2023/07/27 12:31:43.434350, 3, pid=1019460, effective(0, 0),
> > > > > real(0, 0),
> > > > > class=auth] ../../source3/auth/auth_util.c:492(create_local_token)
> > > > > create_local_token: Authentication failed for user
> > > > > [cortexuser] from firewalled domain [UNIX USER]
> > > > >
> > > > > The change was introduced by
> > > > > df5fe2d835169161d3930acf1e9c750dd2bc64b6
> > > > >
> > > > > Is it by intention that local unix users fall into the
> > > > > "trusted domain" category or is this a bug?
> > > > >
> > > > >
> > > > > Best regards
> > > > >
> > > > > Andreas
> > > >
> > > > Stop me if I am wrong, but doesn't 'allow trusted domains = no'
> > > > mean that you only trust the domain that the computer is part
> > > > of, so local users will not be part of that domain.
> > >
> > > local users are not part of any domain as they are local to the
> > > machine. However you can map domain users to local users.
> >
> > My understanding is that you would require something like idmap_nss
> > to map local users to domain users, so if this is the case, wouldn't
> > this mean that you couldn't have any domain users on the machine if
> > they were not also local users ?
>
> No, not at all, see 'force user` or `username map` options.
I could understand this if 'allow trusted domains = yes' was set and
then local users were trusted.
>
> >
> > > The allow trusted domains documentation says:
> > >
> > > If it is set to no, then attempts to connect to a resource from a
> > > domain or workgroup other than the one which smbd is running in
> > > will fail, even if that domain is trusted by the remote server
> > > doing the authentication.
> > >
> > > 'Unix Users' is a special domain for local users and smbd is
> > > running in that domain too. It is a local domain.
> >
> > I think you might find that 'Unix Users' is actually a workgroup.
>
> There is nothing like this in the Windows world. It is a Samba
> thing ...
I could have sworn that in the dark and deepest past I ran something
called 'Windows for workgroups', you know, that thing that came before
domains. Oh well, I must have dreamt it ;-(
>
> > > > Also, as I understand it, if you are trying to connect to the
> > > > share as a local user that the domain knows nothing about, you
> > > > will be denied access, but if you connect to the share as a
> > > > known user and 'force user = localuser' is in the share, then
> > > > everything would end up belonging to 'localuser'
> > >
> > > You do not connect as a local user, you do connect as a domain
> > > user however all share operations will happen under the user you
> > > specify with "focre user".
> >
> > Well, yes you do connect as a local user, it is just that Samba maps
> > a domain user to a local user. In a domain, using something like
> > idmap_rid, the domain users become local users, hence 'getent
> > passwd' will display a domain users Unix details.
>
> This has nothing to do with id mapping. Especially not the bug. The
> bug is about 'force user = localunixuser' not working.
The bug (if it is a bug), in my opinion, is not that 'force user' isn't
working, it is that the user is getting rejected before it gets
anywhere the share.
>
> Trusted domain is an AD term and it means normally domains having a
> trust. If you want you can says there is always a machine local
> trust. If you don't trust your local machine, you shouldn't be using
> it in the first place :-)
Well yes, but 'allow trusted domains = no' should mean just that, do not
allow any trusted domains.
>
> > My feelings are that if 'allow trusted domains = no' is set, then it
> > should do what it says, only trust the domain set in smb.conf, 'Unix
> > Users, is not set in smb.conf, so it should not be allowed.
>
> There is no domain Unix Users in the Windows world! It is something
> Samba internal!
In that case, why do you see 'Unix Users' in Windows permissions on
Windows machines ?
Rowland
>
>
> Andreas
>
>
More information about the samba-technical
mailing list