2017-08-31 15:54 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Thu, 31 Aug 2017 15:28:57 +0200 > mathias dufresne via samba <samba at lists.samba.org> wrote: > > > Hi all, > > > > Here there are trust relationship between domains. > > On some file server using Samba 4.4.4 (Centos 7) I must set up my > > shares using %U. When using %u the directory which is accessed is > > /path/to/share/OUR_DOMAIN\username rather > > than /path/to/share/username. > > > > Initially I thought it could be solved by using: > > winbind use default domain = yes > > associated with: > > workgroup = OUR_DOMAIN > > but that change only how users are generated by Winbind (or at least > > that's how I feel it :) > > > > And as smb.conf manpage tells: > > %U > > session username (the username that the client wanted, not > > necessarily the same as the one they got). > > > > I feel like it could be nice (because perhaps more secure) to use > > %u... > > You mention 'trust' and then 'winbind use default domain', I am very > sure you cannot use the two together. >It works to remove domain name from user lines in getent. Without 'winbind use default domain' user lines are like: DOMAIN\username:x:UID:GID..... with 'winbind use default domain' user lines are like: username:x:UID:GID..... Now I understand from what you said that there will be problems once some users from others domains would try to access these shares. Especially if there are users with same sAMAccountName on several domains.> > I don't actually think you need to set either, I think you just need to > use something like 'path/to/share/%D/users/' > See the wiki page for more info: > > https://wiki.samba.org/index.php/User_Home_FoldersI will read that carefully but, 'cause there's a but: my client refuse to change anything.... If this behaviour is fathered by trust relationships, they'll certainly keep using %U and avoid clients from others domain than the default one...> > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
PS: the short way to explain %u is adding domain/workgroup to username is the fact we are using trust relationship? 2017-08-31 16:08 GMT+02:00 mathias dufresne <infractory at gmail.com>:> > > 2017-08-31 15:54 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org> > : > >> On Thu, 31 Aug 2017 15:28:57 +0200 >> mathias dufresne via samba <samba at lists.samba.org> wrote: >> >> > Hi all, >> > >> > Here there are trust relationship between domains. >> > On some file server using Samba 4.4.4 (Centos 7) I must set up my >> > shares using %U. When using %u the directory which is accessed is >> > /path/to/share/OUR_DOMAIN\username rather >> > than /path/to/share/username. >> > >> > Initially I thought it could be solved by using: >> > winbind use default domain = yes >> > associated with: >> > workgroup = OUR_DOMAIN >> > but that change only how users are generated by Winbind (or at least >> > that's how I feel it :) >> > >> > And as smb.conf manpage tells: >> > %U >> > session username (the username that the client wanted, not >> > necessarily the same as the one they got). >> > >> > I feel like it could be nice (because perhaps more secure) to use >> > %u... >> >> You mention 'trust' and then 'winbind use default domain', I am very >> sure you cannot use the two together. >> > > It works to remove domain name from user lines in getent. > Without 'winbind use default domain' user lines are like: > DOMAIN\username:x:UID:GID..... > with 'winbind use default domain' user lines are like: > username:x:UID:GID..... > > Now I understand from what you said that there will be problems once some > users from others domains would try to access these shares. Especially if > there are users with same sAMAccountName on several domains. > > >> >> I don't actually think you need to set either, I think you just need to >> use something like 'path/to/share/%D/users/' >> See the wiki page for more info: >> >> https://wiki.samba.org/index.php/User_Home_Folders > > > I will read that carefully but, 'cause there's a but: my client refuse to > change anything.... > If this behaviour is fathered by trust relationships, they'll certainly > keep using %U and avoid clients from others domain than the default one... > > >> >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > >
On Thu, 31 Aug 2017 16:08:00 +0200 mathias dufresne <infractory at gmail.com> wrote:> 2017-08-31 15:54 GMT+02:00 Rowland Penny via samba > <samba at lists.samba.org>: > > > On Thu, 31 Aug 2017 15:28:57 +0200 > > mathias dufresne via samba <samba at lists.samba.org> wrote: > > > > > Hi all, > > > > > > Here there are trust relationship between domains. > > > On some file server using Samba 4.4.4 (Centos 7) I must set up my > > > shares using %U. When using %u the directory which is accessed is > > > /path/to/share/OUR_DOMAIN\username rather > > > than /path/to/share/username. > > > > > > Initially I thought it could be solved by using: > > > winbind use default domain = yes > > > associated with: > > > workgroup = OUR_DOMAIN > > > but that change only how users are generated by Winbind (or at > > > least that's how I feel it :) > > > > > > And as smb.conf manpage tells: > > > %U > > > session username (the username that the client wanted, > > > not necessarily the same as the one they got). > > > > > > I feel like it could be nice (because perhaps more secure) to use > > > %u... > > > > You mention 'trust' and then 'winbind use default domain', I am very > > sure you cannot use the two together. > > > > It works to remove domain name from user lines in getent. > Without 'winbind use default domain' user lines are like: > DOMAIN\username:x:UID:GID..... > with 'winbind use default domain' user lines are like: > username:x:UID:GID..... > > Now I understand from what you said that there will be problems once > some users from others domains would try to access these shares. > Especially if there are users with same sAMAccountName on several > domains. > > > > > > I don't actually think you need to set either, I think you just > > need to use something like 'path/to/share/%D/users/' > > See the wiki page for more info: > > > > https://wiki.samba.org/index.php/User_Home_Folders > > > I will read that carefully but, 'cause there's a but: my client > refuse to change anything.... > If this behaviour is fathered by trust relationships, they'll > certainly keep using %U and avoid clients from others domain than the > default one... >They don't need to change anything, without 'winbind use default domain' when a user called 'fred' connects from DOMAINA, he will be seen as 'DOMAINA\fred' but if a user called fred connects from DOMAINB, he will be seen as 'DOMAINB\fred'. Samba should then create the homedir for user 'DOMAINA\fred' in '/path/to/share/DOMAINA/users' and the homedir for user 'DOMAINB\fred' in '/path/to/share/DOMAINB/users', if you use the path I posted earlier. Rowland
On Thu, 31 Aug 2017 16:27:12 +0200 mathias dufresne <infractory at gmail.com> wrote:> PS: the short way to explain %u is adding domain/workgroup to > username is the fact we are using trust relationship? >Probably, what you have to get your head around is this: The users 'fred', 'DOMAINA\fred' and 'DOMAINB\fred' are all different users. Winbind will report them as such. I will leave you to work something out from that ;-) Rowland
2017-08-31 16:29 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Thu, 31 Aug 2017 16:08:00 +0200 > mathias dufresne <infractory at gmail.com> wrote: > > > 2017-08-31 15:54 GMT+02:00 Rowland Penny via samba > > <samba at lists.samba.org>: > > > > > On Thu, 31 Aug 2017 15:28:57 +0200 > > > mathias dufresne via samba <samba at lists.samba.org> wrote: > > > > > > > Hi all, > > > > > > > > Here there are trust relationship between domains. > > > > On some file server using Samba 4.4.4 (Centos 7) I must set up my > > > > shares using %U. When using %u the directory which is accessed is > > > > /path/to/share/OUR_DOMAIN\username rather > > > > than /path/to/share/username. > > > > > > > > Initially I thought it could be solved by using: > > > > winbind use default domain = yes > > > > associated with: > > > > workgroup = OUR_DOMAIN > > > > but that change only how users are generated by Winbind (or at > > > > least that's how I feel it :) > > > > > > > > And as smb.conf manpage tells: > > > > %U > > > > session username (the username that the client wanted, > > > > not necessarily the same as the one they got). > > > > > > > > I feel like it could be nice (because perhaps more secure) to use > > > > %u... > > > > > > You mention 'trust' and then 'winbind use default domain', I am very > > > sure you cannot use the two together. > > > > > > > It works to remove domain name from user lines in getent. > > Without 'winbind use default domain' user lines are like: > > DOMAIN\username:x:UID:GID..... > > with 'winbind use default domain' user lines are like: > > username:x:UID:GID..... > > > > Now I understand from what you said that there will be problems once > > some users from others domains would try to access these shares. > > Especially if there are users with same sAMAccountName on several > > domains. > > > > > > > > > > I don't actually think you need to set either, I think you just > > > need to use something like 'path/to/share/%D/users/' > > > See the wiki page for more info: > > > > > > https://wiki.samba.org/index.php/User_Home_Folders > > > > > > I will read that carefully but, 'cause there's a but: my client > > refuse to change anything.... > > If this behaviour is fathered by trust relationships, they'll > > certainly keep using %U and avoid clients from others domain than the > > default one... > > > > They don't need to change anything, without 'winbind use default > domain' when a user called 'fred' connects from DOMAINA, he will be > seen as 'DOMAINA\fred' but if a user called fred connects from > DOMAINB, he will be seen as 'DOMAINB\fred'. Samba should then create > the homedir for user 'DOMAINA\fred' in '/path/to/share/DOMAINA/users' > and the homedir for user 'DOMAINB\fred' in > '/path/to/share/DOMAINB/users', if you use the path I posted earlier. >The fact is that means they must change each and every directory name at every places where %u was used. And that is not a small task by itself. In my own opinion it is really doable, but not in their. More, they use "unsecure links" and they use that awful stuff heavily. That means renaming directories implies rebuild all links. Here again, a task they don't want to do. Here again, I proposed some ways to managed them relatively easily, which was refused. I do understand that's not state of art but I'm not responsible of what they do, it's their IT, not mine. I'm giving advices, they do whatever they want with them...> > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >