3

I've got a Linux file server set up by the previous IT department with permissions set up to allow Jane to access a certain folder with the username "jane"

My new AD domain that I put in has everyone's username set as first initial, last name so her username in the domain is "jdoe"

For reasons I don't want to go into here, I can't just add "jdoe" as a user on the file server

Can I set her SamAccountName to "jane" and keep her User UPN Logon as "jdoe"? Will that work to let her into the Linux file share?

Caleb
  • 11,813
  • 4
  • 36
  • 49
blsub6
  • 1,131
  • 6
  • 25
  • 45

1 Answers1

1

Samba has a username map config option that you can use to specify a list of remote usernames that will be transparently mapped to a different local user name.

The format for this in /etc/smb/samba.conf would be something like this:

[share]
    ...normal share optionsoptions
    username map = /path/to/file
    users = jane bob fred ... etc

And the contents of /path/to/file should be:

jane = jdoe

You can add more lines to this file, including quoted usernames with spaces, references to whole groups, etc. See documentation link above for more details.

My original answer is a bit of a hack, but for reference here's the deal on forced users. You can add a user to the samba password file using smbpasswd -a without adding them as a unix system user. Then you can authenticate those users on the samba share. You do not have to add them to the unix system password list in order for this to work, but since their users don't exist they will not particularly be able to make use of the share because the unix privaledge system will keep them from writing etc. To fix this, there is a "force user" option that you can add to any share and all actions taken by any authenticated user on that share will be executed using that unix system user. So if you create a share for everybody, then create a duplicate share just for jdoe and add force user = jane to that share, even when jdoe authenticates they will read/write files on the system using jane's unix user.

Caleb
  • 11,813
  • 4
  • 36
  • 49
  • I don't get it... so multiple people use this share, they're all in the group called 'fiscal' it's set up with `valid users = @fiscal` and `force user = nobody` if I set this up with `valid users = jdoe`, wouldn't it break everyone else's access to the share? – blsub6 Apr 19 '11 at 07:16
  • You have two choices. One have everybody connect to the same share, which will cause all users to read/write from the file server as the same user 'jane', or what I was suggesting was setup a duplicate share just for jane to use ... to the same location but with the force user override so she reads/writes as her alternate username. – Caleb Apr 19 '11 at 07:21
  • ahhhhh, that makes much more sense....and she doesn't have to be a user (in /etc/passwd) on the linux file server? – blsub6 Apr 19 '11 at 07:35
  • No. In my original solution jdoe would need to be in the samba password file to authenticate, but not the unix system one since the system would get used as jane.. In the new solution you shouldn't need the jdoe credentials anywhere, the remote username gets mapped the local equivalent at authentication time. – Caleb Apr 19 '11 at 15:43
  • Sorry I was in a hurry when I first discovered there was a better answer than my original. I just edited my whole answer with a better rundown of how you can accomplish this. – Caleb Apr 19 '11 at 16:47