Bug 11557 - Samba breaks username mapping
Summary: Samba breaks username mapping
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.1.0
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-15 09:24 UTC by ddas
Modified: 2019-07-14 21:16 UTC (History)
6 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ddas 2015-10-15 09:24:56 UTC
If a user is created locally as well as in AD then mapping issue is observed. 

Local User
----------

# getent passwd tuser -s files
tuser:x:500:500::/home/tuser:/bin/bash

AD User
--------
# getent passwd tuser -s winbind
tuser:*:16777216:16777216::/home/EXAMPLE/tuser:/bin/bash


If "winbind use default domain = true" is set and AD user with the same name is mapped to local user then access to directory owned by local user is not working.

As per Samba man page (https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html) under "username map" parameter the unix user should be mentioned on the left side. 

-----------------------------------------------------------------------------
 For example to map from the name admin or administrator to the UNIX name root you would use:

root = admin administrator

Or to map anyone in the UNIX group system to the UNIX name sys you would use:

sys = @system
-----------------------------------------------------------------------------


Testing Details are given below. 


File Configuration
===================
    
1) /etc/samba/smb.conf
   ---------------------------------------------------------
  [global]
    workgroup = EXAMPLE
    realm = EXAMPLE.COM
    security = ads
    idmap config * : range = 16777216-33554431
    idmap config DOMAIN : backend = rid
    idmap config DOMAIN : range = 10000 - 1000000
    template shell = /bin/bash
    winbind separator = +
    winbind use default domain = true
    username map = /etc/samba/usermap
    winbind offline logon = false
    server string = Samba Server Version %v
    log file = /var/log/samba/log.%m
    max log size = 50
    passdb backend = tdbsam
    load printers = yes
    cups options = raw

    [test]
    comment = TestShare
    path = /test
    browseable = yes
    valid users = tuser
    guest ok = no
    writable = yes
    printable = no
    ---------------------------------------------------------
     
2) /etc/nsswitch.conf
   ---------------------------
   passwd:     files winbind
   shadow:     files winbind
   group:      files winbind
   ---------------------------
     
ID OUTPUT
===========
 # id tuser
 uid=500(tuser) gid=500(tuser) groups=500(tuser),16777216(domain users),16777218(domain admins),16777217(denied rodc password replication group),16777220(BUILTIN+users),16777219(BUILTIN+administrators)
     
# id EXAMPLE+tuser
uid=16777216(tuser) gid=16777216(domain users) groups=16777216(domain users),16777218(domain admins),16777217(denied rodc password replication group),16777220(BUILTIN+users),16777219(BUILTIN+administrators)
     
     
Samba Share Directory Permission
================================
# ls -ld /test/
drwxrwx---. 2 tuser tuser 4096 Oct 15 13:30 /test/

# ls -lnd /test/
drwxrwx---. 2 500 500 4096 Oct 15 13:30 /test/
     
# ls -ltr /test/
total 0
-rw-r--r--. 1 tuser tuser 0 Oct 15 13:30 a.txt
     
# ls -lntr /test/
total 0
-rw-r--r--. 1 500 500 0 Oct 15 13:30 a.txt
     
     
TESTING RESULT
==============
     
A)  /etc/samba/usermap and "winbind use default domain = false"
    -----------------------------------------------------------
    Test 1) EXAMPLE+tuser = tuser    (Note Able to login due to "NT_STATUS_ACCESS_DENIED")

           # smbclient \\\\192.168.122.15\\test -U tuser%test123
           Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.23-20.el6]
           tree connect failed: NT_STATUS_ACCESS_DENIED
    
    Test 2) tuser = EXAMPLE+tuser    (Access and directory listing working)

           # smbclient \\\\192.168.122.15\\test -U tuser%test123
           Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.23-20.el6]
           smb: \> ls
           .                                   D        0  Thu Oct 15 13:30:53 2015
           ..                                 DR        0  Thu Oct 15 13:21:46 2015
           a.txt                                        0  Thu Oct 15 13:30:53 2015
          35036 blocks of size 524288. 22261 blocks available
          smb: \> 

     
B)  /etc/samba/usermap and "winbind use default domain = true"
   ----------------------------------------------------------
     
    Test 1) EXAMPLE+tuser = tuser    (Able to login but getting NT_STATUS_ACCESS_DENIED during directory listing due to directory permission)
     
            # smbclient \\\\192.168.122.15\\test -U tuser%test123
            Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.23-20.el6]
            smb: \> ls
            NT_STATUS_ACCESS_DENIED listing \*
            smb: \>
     
    Test 2) tuser = EXAMPLE+tuser     (Able to login but getting NT_STATUS_ACCESS_DENIED during directory listing due to directory permission)
     
            # smbclient \\\\192.168.122.15\\test -U tuser%test123
            Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.6.23-20.el6]
            smb: \> ls
            NT_STATUS_ACCESS_DENIED listing \*
            smb: \>
Comment 1 Andreas Schneider 2015-10-15 09:28:16 UTC
Can someone explain how 'username map' is supposed to work in different scenarios (file server, authentication) and how 'winbind use default domain' affects it.

Do we have bugs here or is the documentation simply very very bad and people start to do stupid stuff cause of the missing docs?
Comment 2 Jeremy Allison 2015-10-15 18:28:13 UTC
(In reply to Andreas Schneider from comment #1)

The username map syntax is *really* old and crufty. Never really got updated for AD-environments.

I continue to *hate* "winbindd use default domain" in all cases :-).

Having said that I'm unclear what the original submitter is actually complaining about.

So to the submitter:

a). What do you want to do ?
b). How is username map not doing that ?
Comment 3 Andreas Schneider 2015-10-16 14:21:26 UTC
Jeremy, the issue here is that he has an AD and a Unix user with the same name.

If I understand the 'username map' syntax correctly, it only supports:

unixuser = smb_user (ad_user)


The mapping is done via getpwnam() calls so we are only support what comes out of nsswitch, right?
Comment 4 Björn Jacke 2019-07-14 21:16:08 UTC
winbind use default domain usage is not a good idea, especially with overlapping local/ad user names, this is considered to be an unsupported setup