TomK
2020-Feb-21 23:10 UTC
[Samba] Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
On 2/21/2020 2:24 PM, Rowland penny via samba wrote:> On 21/02/2020 19:06, torch via samba wrote: >> Am I missing something?? I don?t see where you are using the ?@? >> symbol anywhere. >> Mac is probably interpreting the parameters ?valid users? and ?write >> list" (correctly, I think ;-) as a LIST of 3 users: joe, at, mds.xyz >> or bob, at, mds.xyz. >> >> torch > > My question would be 'why is the OP trying to login using what appears > to be a UPN to something (standalone server) that doesn't use kerberos ?' > > More info required. > > Rowland > > >Valid question. The target server, let's call it nfs03.nix.mds.xyz shares a path via both CIFS and NFS. The said server, nfs03, is Kerberized via SSSD to a set of FreeIPA servers.? The FreeIPA servers in turn have a trust with the AD DC domain mds.xyz . nfs03 <-> FreeIPA <-> AD DC So joe at mds.xyz is an AD user presented via FreeIPA on nfs03. [root at nfs03 samba]# id joe at mds.xyz uid=166602204(joe at mds.xyz) gid=166602204(joe at mds.xyz) groups=166602204(joe at mds.xyz),1843300089(domain-users) [root at nfs03 samba]# Running id joe doesn't work of course.? Doesn't exist.?? mds.xyz is the AD domain.? There are other domains and other users on those different domains, such as drew at nix.mds.xyz, who doesn't exist in AD and is only local to Linux servers.? We also need to distinguish a user1 at mds.xyz vs a user1 at nix.mds.xyz for example. So need to use the domain, at least for now. Using joe won't work in samba since it checks the OS to verify the user exists.? So need to use joe at mds.xyz however Samba, rightly so, splits this string up into what it things is the user, 'joe' and host 'mds.xyz'.? I'm looking for a way to suppress this so it doesn't split up joe at mds.xyz . "Sadly this really appears to be is a client issue. You see there the string Samba gets, so by the time Samba tries the process it the @ is already interpreted and the string split. Sorry! Andrew Bartlett" Yeah, wondering if there is a way to tell Samba NOT to split that up and treat joe at mds.xyz as a single user. This works fine in Win 10 so I agree, it's probably a client SMB configuration issue but would like to know exactly what that config issue is. -- Thx, TK.
TomK
2020-Feb-22 01:48 UTC
[Samba] Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
On 2/21/2020 6:10 PM, TomK via samba wrote:> On 2/21/2020 2:24 PM, Rowland penny via samba wrote: >> On 21/02/2020 19:06, torch via samba wrote: >>> Am I missing something?? I don?t see where you are using the ?@? >>> symbol anywhere. >>> Mac is probably interpreting the parameters ?valid users? and ?write >>> list" (correctly, I think ;-) as a LIST of 3 users: joe, at, mds.xyz >>> or bob, at, mds.xyz. >>> >>> torch >> >> My question would be 'why is the OP trying to login using what appears >> to be a UPN to something (standalone server) that doesn't use kerberos ?' >> >> More info required. >> >> Rowland >> >> >> > Valid question. > > > The target server, let's call it nfs03.nix.mds.xyz shares a path via > both CIFS and NFS. The said server, nfs03, is Kerberized via SSSD to a > set of FreeIPA servers.? The FreeIPA servers in turn have a trust with > the AD DC domain mds.xyz . > > nfs03 <-> FreeIPA <-> AD DC > > So joe at mds.xyz is an AD user presented via FreeIPA on nfs03. > > [root at nfs03 samba]# id joe at mds.xyz > uid=166602204(joe at mds.xyz) gid=166602204(joe at mds.xyz) > groups=166602204(joe at mds.xyz),1843300089(domain-users) > [root at nfs03 samba]# > > Running > > id joe > > doesn't work of course.? Doesn't exist.?? mds.xyz is the AD domain. > There are other domains and other users on those different domains, such > as drew at nix.mds.xyz, who doesn't exist in AD and is only local to Linux > servers.? We also need to distinguish a user1 at mds.xyz vs a > user1 at nix.mds.xyz for example. So need to use the domain, at least for now. > > Using joe won't work in samba since it checks the OS to verify the user > exists.? So need to use joe at mds.xyz however Samba, rightly so, splits > this string up into what it things is the user, 'joe' and host > 'mds.xyz'.? I'm looking for a way to suppress this so it doesn't split > up joe at mds.xyz .Therefore, yes, UPN.> > > "Sadly this really appears to be is a client issue.? You see there the > string Samba gets, so by the time Samba tries the process it the @ is > already interpreted and the string split. > > Sorry! > > Andrew Bartlett" > > Yeah, wondering if there is a way to tell Samba NOT to split that up and > treat joe at mds.xyz as a single user.? This works fine in Win 10 so I > agree, it's probably a client SMB configuration issue but would like to > know exactly what that config issue is. >+ or what paramaters I could change to ensure the string isn't split up. -- Thx, TK.
Andrew Bartlett
2020-Feb-22 02:18 UTC
[Samba] Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
On Fri, 2020-02-21 at 20:48 -0500, TomK wrote:> > > > > > "Sadly this really appears to be is a client issue. You see there the > > string Samba gets, so by the time Samba tries the process it the @ is > > already interpreted and the string split. > > > > Sorry! > > > > Andrew Bartlett" > > > > Yeah, wondering if there is a way to tell Samba NOT to split that up and > > treat joe at mds.xyz as a single user. This works fine in Win 10 so I > > agree, it's probably a client SMB configuration issue but would like to > > know exactly what that config issue is. > > > > + or what paramaters I could change to ensure the string isn't split up.You can't change it on the Samba side, you could try logging in as SERVER\joe at mds.xyz or see if you can re-map it server-side with the various username map options. You need to realise that the protocol has a domain field and a username one. Well behaved clients know that user at realm style usernames need to all be in the username field, not split up client-side (and left to the DC to interpret), but even Samba got this wrong for quite some time. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Rowland penny
2020-Feb-22 09:04 UTC
[Samba] Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
On 21/02/2020 23:10, TomK wrote:> On 2/21/2020 2:24 PM, Rowland penny via samba wrote: >> On 21/02/2020 19:06, torch via samba wrote: >>> Am I missing something?? I don?t see where you are using the ?@? >>> symbol anywhere. >>> Mac is probably interpreting the parameters ?valid users? and ?write >>> list" (correctly, I think ;-) as a LIST of 3 users: joe, at, mds.xyz >>> or bob, at, mds.xyz. >>> >>> torch >> >> My question would be 'why is the OP trying to login using what >> appears to be a UPN to something (standalone server) that doesn't use >> kerberos ?' >> >> More info required. >> >> Rowland >> >> >> > Valid question. > > > The target server, let's call it nfs03.nix.mds.xyz shares a path via > both CIFS and NFS. The said server, nfs03, is Kerberized via SSSD to a > set of FreeIPA servers.? The FreeIPA servers in turn have a trust with > the AD DC domain mds.xyz . > > nfs03 <-> FreeIPA <-> AD DC > > So joe at mds.xyz is an AD user presented via FreeIPA on nfs03. > > [root at nfs03 samba]# id joe at mds.xyz > uid=166602204(joe at mds.xyz) gid=166602204(joe at mds.xyz) > groups=166602204(joe at mds.xyz),1843300089(domain-users) > [root at nfs03 samba]# > > Running > > id joe > > doesn't work of course.? Doesn't exist.?? mds.xyz is the AD domain.? > There are other domains and other users on those different domains, > such as drew at nix.mds.xyz, who doesn't exist in AD and is only local to > Linux servers.? We also need to distinguish a user1 at mds.xyz vs a > user1 at nix.mds.xyz for example. So need to use the domain, at least for > now. > > Using joe won't work in samba since it checks the OS to verify the > user exists.? So need to use joe at mds.xyz however Samba, rightly so, > splits this string up into what it things is the user, 'joe' and host > 'mds.xyz'.? I'm looking for a way to suppress this so it doesn't split > up joe at mds.xyz . >Using 'joe at mds.xyz' isn't going to work against a standalone samba server (well, not unless you create a user called joe at mds.xyz on it) because it isn't a domain member. Rowland
Possibly Parallel Threads
- Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
- Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
- Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
- Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
- Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10