summaryrefslogtreecommitdiff
path: root/docs/smbdotconf/security/usernamemap.xml
blob: 1ac393393bd100a0d8039994a68026d7ac51df30 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
<samba:parameter name="username map"
                 context="G"
                 advanced="1" developer="1"
				 type="string"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
    <para>This option allows you to specify a file containing 
    a mapping of usernames from the clients to the server. This can be 
    used for several purposes. The most common is to map usernames 
    that users use on DOS or Windows machines to those that the UNIX 
    box uses. The other is to map multiple users to a single username 
    so that they can more easily share files.</para>
    
    <para>The map file is parsed line by line. Each line should 
    contain a single UNIX username on the left then a '=' followed 
    by a list of usernames on the right. The list of usernames on the 
    right may contain names of the form @group in which case they 
    will match any UNIX username in that group. The special client 
    name '*' is a wildcard and matches any name. Each line of the 
    map file may be up to 1023 characters long.</para>

    <para>The file is processed on each line by taking the 
    supplied username and comparing it with each username on the right 
    hand side of the '=' signs. If the supplied name matches any of 
    the names on the right hand side then it is replaced with the name 
    on the left. Processing then continues with the next line.</para>

    <para>If any line begins with a '#' or a ';' then it is ignored</para>

    <para>If any line begins with an '!' then the processing
    will stop after that line if a mapping was done by the line.
    Otherwise mapping continues with every line being processed.
    Using '!' is most useful when you have a wildcard mapping line
    later in the file.</para>

    <para>For example to map from the name <constant>admin</constant>
    or <constant>administrator</constant> to the UNIX name <constant>
    root</constant> you would use:</para>

    <para><command moreinfo="none">root = admin administrator</command></para>

    <para>Or to map anyone in the UNIX group <constant>system</constant>
    to the UNIX name <constant>sys</constant> you would use:</para>

    <para><command moreinfo="none">sys = @system</command></para>

    <para>You can have as many mappings as you like in a username map file.</para>


    <para>If your system supports the NIS NETGROUP option then
    the netgroup database is checked before the <filename moreinfo="none">/etc/group
    </filename> database for matching groups.</para>

    <para>You can map Windows usernames that have spaces in them
     by using double quotes around the name. For example:</para>

    <para><command moreinfo="none">tridge = &quot;Andrew Tridgell&quot;</command></para>

    <para>would map the windows username &quot;Andrew Tridgell&quot; to the
    unix username &quot;tridge&quot;.</para>

    <para>The following example would map mary and fred to the
    unix user sys, and map the rest to guest. Note the use of the
    '!' to tell Samba to stop processing if it gets a match on
    that line.</para>

<para><programlisting format="linespecific">
!sys = mary fred
guest = *
</programlisting></para>

    <para>Note that the remapping is applied to all occurrences
    of usernames. Thus if you connect to \\server\fred and <constant>
    fred</constant> is remapped to <constant>mary</constant> then you
    will actually be connecting to \\server\mary and will need to
    supply a password suitable for <constant>mary</constant> not
    <constant>fred</constant>. The only exception to this is the
    username passed to the <link linkend="PASSWORDSERVER"><parameter moreinfo="none">
    password server</parameter></link> (if you have one). The password
    server will receive whatever username the client supplies without
    modification.</para>

    <para>Also note that no reverse mapping is done. The main effect
    this has is with printing. Users who have been mapped may have
    trouble deleting print jobs as PrintManager under WfWg will think
    they don't own the print job.</para>

   <para>
   Samba versions prior to 3.0.8 would only support reading the fully qualified
   username (e.g.: DOMAIN\user) from the username map when performing a
   kerberos login from a client.  However, when looking up a map
   entry for a user authenticated by NTLM[SSP], only the login name would be
   used for matches.  This resulted in inconsistent behavior sometimes
   even on the same server.
   </para>

   <para>
   The following functionality is obeyed in version 3.0.8 and later:
   </para>

   <para>
    When performing local authentication, the username map is
    applied to the login name before attempting to authenticate
    the connection.
    </para>

    <para>
    When relying upon a external domain controller for validating
    authentication requests, smbd will apply the username map
    to the fully qualified username (i.e. DOMAIN\user) only
    after the user has been successfully authenticated.
    </para>
</description>

<value type="default"><comment>no username map</comment></value>
<value type="example">/usr/local/samba/lib/users.map</value>
</samba:parameter>