Samba 3.0.3rc1 maps users (at least) twice... Here are the excerpts from the log-file (Debug-Level=4) with my comments (# .....): ----------------8><------------------------------------ # The logfile starts after successful name resolution here... [2004/04/27 12:19:40, 4] lib/username.c:map_username(132) Scanning username map /usr/local/private/smbusers.map [2004/04/27 12:19:40, 3] lib/username.c:map_username(173) Mapped user B10ScMa6 to matthias ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # This is absolutely correct! [2004/04/27 12:19:40, 4] libsmb/namequery_dc.c:ads_dc_name(43) ads_dc_name: domain=WW003 [2004/04/27 12:19:40, 3] libsmb/namequery.c:resolve_wins(755) resolve_wins: Attempting wins lookup for name BLNN200A<0x20> [2004/04/27 12:19:40, 4] lib/wins_srv.c:wins_srv_is_dead(109) wins_srv_is_dead: 147.54.115.1 is alive [2004/04/27 12:19:40, 4] lib/wins_srv.c:wins_srv_is_dead(109) wins_srv_is_dead: 147.54.115.1 is alive [2004/04/27 12:19:40, 3] libsmb/namequery.c:resolve_wins(794) resolve_wins: using WINS server 147.54.115.1 and tag '*' [2004/04/27 12:19:40, 4] libsmb/nmblib.c:debug_nmb_packet(109) nmb packet from 147.54.115.1(137) header: id=19614 opcode=Query(0) response=Yes header: flags: bcast=No rec_avail=Yes rec_des=Yes trunc=No auth=Yes header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0 answers: nmb_name=BLNN200A<20> rr_type=32 rr_class=1 ttl=0 answers 0 char @..6sd hex 400093367364 [...] [2004/04/27 12:19:40, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [WW003]\[B10ScMa6]@[B10P456C] with the new password interface # ... still correct... [2004/04/27 12:19:40, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [WW003]\[matthias]@[B10P456C] # That doesn't make sense (IMHO)! I mapped to a Unix(!)-Username according # to smb.conf(5) (Section 'username map') which can't be authorized by the # DC of [WW003]! Even the prefix "[WW003\" is wrong! This is a local user # on the (FreeBSD-) Samba-Server [...] [2004/04/27 12:19:40, 4] lib/username.c:map_username(132) Scanning username map /usr/local/private/smbusers.map [2004/04/27 12:19:40, 3] lib/username.c:map_username(173) Mapped user WW003\matthias to smb # ... here the (mapped) username is mapped again - and of course # not found, so the (wrong) username is mapped to the last default # entry "smb=*". In username.c there's a comment, that username mapping # *must* occur only once.... [...] [2004/04/27 12:19:40, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(226) fetch sid from gid cache 256 -> S-1-5-21-2352418937-772958728-1491575205-1513 [2004/04/27 12:19:40, 3] auth/auth.c:check_ntlm_password(268) check_ntlm_password: winbind authentication for user [B10ScMa6] succeeded # This is correct again, so user authentication is obviously working but # username mapping seems to be broken. ----------------8><------------------------------------ Here's my 'smb.conf': --------- smb.conf -------8><-------------------------- # Samba config file created using SWAT # from 147.54.112.205 (147.54.112.205) # Date: 2004/04/27 08:16:25 # Global parameters [global] unix charset = ISO8859-15 workgroup = WW003 realm = WW003.SIEMENS.NET netbios name = B10P433X server string = PTD M C, Test-Serverdienste interfaces = 147.54.112.205/22 security = ADS password server = BLNN200A passdb backend = tdbsam, smbpasswd guest account = N/A username map = /usr/local/private/smbusers.map log level = 4 log file = /var/log/samba/log.%m max log size = 50 announce version = 4.0 name resolve order = wins lmhosts hosts preferred master = No local master = No domain master = No browse list = No dns proxy = No wins server = 147.54.115.1 ldap ssl = no printer admin = matthias [print$] comment = NT-Drucker path = /usr/local/samba/printers admin users = matthias, root write list = matthias, root printer admin = matthias, root [Pub] comment = Public Directory path = /usr/local/samba/smbpublic force group = samba read only = No create mask = 0660 directory mask = 0775 [B10Q017C] comment = HP LaserJet 5M, Geb. 2b, Raum 2 1102 path = /var/spool/samba read only = No printable = Yes printer name = B10Q017C [homes] comment = user's homedirectories read only = No create mask = 0640 directory mask = 0750 browseable = No --------- smb.conf -------8><-------------------------- and finally my 'smbusers.map': --------- smbusers.map -------8><---------------------- # # /usr/local/private/smbusers.map # Usermapping between Unix and Windoze NT # for host 'b10p433c.bln7.siemens.de' # created on Mon, Apr 26, 2004, 15:30:00 MESZ # !matthias="B10ScMa6" !root="B10ScMa7" smb=* --------- smbusers.map -------8><----------------------
[2004/04/27 12:19:40, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [WW003]\[matthias]@[B10P456C] # That doesn't make sense (IMHO)! I mapped to a Unix(!)-Username according # to smb.conf(5) (Section 'username map') which can't be authorized by the # DC of [WW003]! Even the prefix "[WW003\" is wrong! This is a local user # on the (FreeBSD-) Samba-Server Actually, the current brhaviopr defaults to trying to the domain to which the server belonogs. So this was an intentional choice. you might need to set 'auth methods = guest sam_ignoredomain ntdomain' to get what you are looking for. What seems to be happening is that the uasername map is being applied to the winbindd check (which is not running and then once again for the ntdomain security check. Overridding the default auth methods should fix this. While the code may be complicated, i don't think there is a regression here. Just a surprise.
closing. no response back from reporter.
Hi Jerry, I'm very sorry that I could not respond to your sugestion - I had three weeks hollidays :-) But now: You suggested to add 'auth methods = guest sam_ignoredomain ntdomain' to make the usermapping work like Samba 2.x - this doesn't work for me. I tried your suggestion with samba 3.0.4 under FreeBSD 5.2-CURRENT. What happens is as follows: With my conventional usermapping-file and without any 'auth methods': !matthias = B10ScMa6 smb = * I always become unix-user 'smb' (the default for 'all authenticated users') when accessing the samba server as 'B10ScMa6'. If I remove the "smb = *" entry, I can connect correctly (this is *new* for Samba 3.0.4, IIRC), but I have no default for 'all authenticated users'. As a workaround, I found the following: If I add another line for each(!) user with the form: <unix-account> = <Domain of WinUser>\<unix-account> things are working as expected. For the example above the usermapping file now looks: !matthias = B10ScMa6 !matthias = WW003\matthias smb = * Where "WW003" is the domain of "B10ScMa6". With this additional line I work as 'matthias' on the samba-server and not as user 'smb' if I access the share from a windows machine as user 'B10ScMa6'. If I remove the line "!matthias = WW003\matthias" and add "auth methods = guest sam_ignoredomain ntdomain" in 'smb.conf', I'm the default user 'smb' again - so your suggestion does not change anything. Regards - Matthias
The same occurred to me, log excerpt follows: ... [2004/06/29 17:58:54, 3, effective(0, 0), real(0, 0)] lib/username.c:map_username(173) Mapped user Davide to ntadm ... [2004/06/29 17:58:54, 3, effective(0, 0), real(0, 0)] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [BANCHEDATI]\[Davide]@[DBOLCIONI] with the new password interface [2004/06/29 17:58:54, 3, effective(0, 0), real(0, 0)] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [BANCHEDATI]\[ntadm]@[DBOLCIONI] ... [2004/06/29 17:58:54, 3, effective(0, 0), real(0, 0)] lib/username.c:map_username(173) Mapped user BANCHEDATI\ntadm to ntguest ... In my case, user Davide is a regular domain user, not a Unix-only user; winbindd is not in use. The workaround suggested above works; a brief look in CVS for map_username() of username.c revision 1.8 suggests that said function is unexpectedly called more than once, hence the double mapping and the workaround.
Created attachment 559 [details] make sure map_username() is only called once per session.
marking as fixed. Please let me know if otherwise.
Hello, yes, I confirm that this buf is fixed. I applied the patch against samba 3.0.4 and it now works as expected. Thank you for your effort! Matthias
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.