Section 10.3. Matching Domain Users to Local Accounts

10.3. Matching Domain Users to Local Accounts

Remember from Chapter 5 that every user accessing the Samba server must be associated with a Unix uid. smbd goes through several steps in its attempt to find a matching Unix account. This is true for users who are authenticated locally as well as those validated by a remote domain controller.

The first step is to process the username map option, which may translate the current account name to another string. For standalone servers, this is done before the authentication request is processed, but for domain members, this transformation occurs after authentication. As a result, any domain names in map entries must be fully qualified.^[*]

^[*] This requirement was introduced in the 3.0.8 release.

Qualified domain names take two forms. When the server is using security = ads and not running Winbind, it is necessary to add an entry that qualifies the user by prefixing the complete realm in order to deal with Kerberos logins. Without winbindd (the Winbind daemon), Samba has no way to convert realm names to short names. NTLM login requests provide the short name of the domain, so we must also include an entry of the form DOMAIN\user. The complete entry for the user leezard in the AD domain eden.plainjoe.org (with a short name of EDEN) would appear as:

 lizard = EDEN.PLAINJOE.ORG\leezard EDEN\leezard 

Beginning with Samba 3.0.21, smbd can obtain the short name of the domain from the Kerberos ticket, thus removing the need for the REALM\user username map entries.

When winbindd is available to convert realm names into short names, or when only NTLM authentication is supported (i.e., security = domain), the previous entry should be simplified to:

 lizard = EDEN\leezard 

But as you will soon see, when using winbindd, a username map may be entirely unnecessary.

Once any relevant mapping records have been processed, smbd queries the operating system for a uid matching the login name. If the user name is still in the fully qualified format, Samba searches for the qualified name first and falls back to look for the user name minus the domain if the qualified search fails to yield a match. Once a uid is located, Samba creates a token for the user containing the uid and all group memberships.

This search process implies that there is an implicit match between a local Unix user and a domain user possessing the same name. This implication may cause confusion when a user from a trusted domain accesses the server. Both EDEN\adam and FRUIT\adam map to the same Unix user, adam. In order to prevent a user from a trusted domain gaining access to files owned by a user of the same name in our domain, it is recommended that you disable domain trusts on the Samba host by setting:

 [global]     allow trusted domains = no 

Returning to our search, if no matching uid can be found, smbd has two options: reject the login or map the user to the guest account. The map to guest parameter, first presented in Chapter 5, has a special setting that is valid only on domain member servers. When set to the value bad uid, Samba silently maps a domain user to the guest account if no corresponding Unix account can be found. This behavior allows you to require domain users to be authenticated without being concerned with creating any local accounts. The original 3.0 releases removed this functionality, which was the default behavior in Samba 2.2. But it was later included again as part of the map to guest option in version 3.0.20.