Bug 1297 - Option 'username map' broken in 3.0.3rc1
Summary: Option 'username map' broken in 3.0.3rc1
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.4
Hardware: All FreeBSD
: P2 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-04-27 04:06 UTC by Matthias Schuendehuette
Modified: 2005-08-24 10:20 UTC (History)
1 user (show)

See Also:

Attachments
make sure map_username() is only called once per session. (2.59 KB, patch)
2004-07-06 14:41 UTC, Gerald (Jerry) Carter (dead mail address) 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Schuendehuette 2004-04-27 04:06:27 UTC 
Samba 3.0.3rc1 maps users (at least) twice...

Here are the excerpts from the log-file (Debug-Level=4)
with my comments (# .....):

----------------8><------------------------------------
# The logfile starts after successful name resolution here...

[2004/04/27 12:19:40, 4] lib/username.c:map_username(132)
  Scanning username map /usr/local/private/smbusers.map
[2004/04/27 12:19:40, 3] lib/username.c:map_username(173)
  Mapped user B10ScMa6 to matthias
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# This is absolutely correct!

[2004/04/27 12:19:40, 4] libsmb/namequery_dc.c:ads_dc_name(43)
  ads_dc_name: domain=WW003
[2004/04/27 12:19:40, 3] libsmb/namequery.c:resolve_wins(755)
  resolve_wins: Attempting wins lookup for name BLNN200A<0x20>
[2004/04/27 12:19:40, 4] lib/wins_srv.c:wins_srv_is_dead(109)
  wins_srv_is_dead: 147.54.115.1 is alive
[2004/04/27 12:19:40, 4] lib/wins_srv.c:wins_srv_is_dead(109)
  wins_srv_is_dead: 147.54.115.1 is alive
[2004/04/27 12:19:40, 3] libsmb/namequery.c:resolve_wins(794)
  resolve_wins: using WINS server 147.54.115.1 and tag '*'
[2004/04/27 12:19:40, 4] libsmb/nmblib.c:debug_nmb_packet(109)
  nmb packet from 147.54.115.1(137) header: id=19614 opcode=Query(0) response=Yes
      header: flags: bcast=No rec_avail=Yes rec_des=Yes trunc=No auth=Yes
      header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0
      answers: nmb_name=BLNN200A<20> rr_type=32 rr_class=1 ttl=0
      answers   0 char @..6sd   hex 400093367364

[...]

[2004/04/27 12:19:40, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[WW003]\[B10ScMa6]@[B10P456C] with the new password interface

# ... still correct...

[2004/04/27 12:19:40, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [WW003]\[matthias]@[B10P456C]

# That doesn't make sense (IMHO)! I mapped to a Unix(!)-Username according
# to smb.conf(5) (Section 'username map') which can't be authorized by the
# DC of [WW003]! Even the prefix "[WW003\" is wrong! This is a local user
# on the (FreeBSD-) Samba-Server

[...]

[2004/04/27 12:19:40, 4] lib/username.c:map_username(132)
  Scanning username map /usr/local/private/smbusers.map
[2004/04/27 12:19:40, 3] lib/username.c:map_username(173)
  Mapped user WW003\matthias to smb

# ... here the (mapped) username is mapped again - and of course
# not found, so the (wrong) username is mapped to the last default
# entry "smb=*". In username.c there's a comment, that username mapping
# *must* occur only once....

[...]

[2004/04/27 12:19:40, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(226)
  fetch sid from gid cache 256 -> S-1-5-21-2352418937-772958728-1491575205-1513
[2004/04/27 12:19:40, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: winbind authentication for user [B10ScMa6] succeeded

# This is correct again, so user authentication is obviously working but
# username mapping seems to be broken.

----------------8><------------------------------------

Here's my 'smb.conf':

--------- smb.conf -------8><--------------------------
# Samba config file created using SWAT
# from 147.54.112.205 (147.54.112.205)
# Date: 2004/04/27 08:16:25

# Global parameters
[global]
	unix charset = ISO8859-15
	workgroup = WW003
	realm = WW003.SIEMENS.NET
	netbios name = B10P433X
	server string = PTD M C, Test-Serverdienste
	interfaces = 147.54.112.205/22
	security = ADS
	password server = BLNN200A
	passdb backend = tdbsam, smbpasswd
	guest account = N/A
	username map = /usr/local/private/smbusers.map
	log level = 4
	log file = /var/log/samba/log.%m
	max log size = 50
	announce version = 4.0
	name resolve order = wins lmhosts hosts
	preferred master = No
	local master = No
	domain master = No
	browse list = No
	dns proxy = No
	wins server = 147.54.115.1
	ldap ssl = no
	printer admin = matthias

[print$]
	comment = NT-Drucker
	path = /usr/local/samba/printers
	admin users = matthias, root
	write list = matthias, root
	printer admin = matthias, root

[Pub]
	comment = Public Directory
	path = /usr/local/samba/smbpublic
	force group = samba
	read only = No
	create mask = 0660
	directory mask = 0775

[B10Q017C]
	comment = HP LaserJet 5M, Geb. 2b, Raum 2 1102
	path = /var/spool/samba
	read only = No
	printable = Yes
	printer name = B10Q017C

[homes]
	comment = user's homedirectories
	read only = No
	create mask = 0640
	directory mask = 0750
	browseable = No

--------- smb.conf -------8><--------------------------

and finally my 'smbusers.map':

--------- smbusers.map -------8><----------------------

#
# /usr/local/private/smbusers.map
# Usermapping between Unix and Windoze NT
# for host 'b10p433c.bln7.siemens.de'
# created on Mon, Apr 26, 2004, 15:30:00 MESZ
#

!matthias="B10ScMa6"
!root="B10ScMa7"
smb=*

--------- smbusers.map -------8><----------------------
Comment 1 Gerald (Jerry) Carter (dead mail address) 2004-04-28 21:49:41 UTC 
[2004/04/27 12:19:40, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [WW003]\[matthias]@[B10P456C]

# That doesn't make sense (IMHO)! I mapped to a Unix(!)-Username according
# to smb.conf(5) (Section 'username map') which can't be authorized by the
# DC of [WW003]! Even the prefix "[WW003\" is wrong! This is a local user
# on the (FreeBSD-) Samba-Server

Actually, the current brhaviopr defaults to trying to the 
domain to which the server belonogs.  So this was an intentional 
choice.  you might need to set 

  'auth methods = guest sam_ignoredomain ntdomain'

to get what you are looking for.

What seems to be happening is that the uasername map is 
being applied to the winbindd check (which is not running 
and then once again for the ntdomain security check.
Overridding the default auth methods should fix this.

While the code may be complicated, i don't think there 
is a regression here.  Just a surprise.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2004-05-20 09:41:11 UTC 
closing.  no response back from reporter.
Comment 3 Matthias Schuendehuette 2004-05-24 04:49:05 UTC 
Hi Jerry,

I'm very sorry that I could not respond to your sugestion - I had three weeks
hollidays :-)

But now:

You suggested to add

'auth methods = guest sam_ignoredomain ntdomain'

to make the usermapping work like Samba 2.x - this doesn't work for me.

I tried your suggestion with samba 3.0.4 under FreeBSD 5.2-CURRENT.

What happens is as follows:

With my conventional usermapping-file and without any 'auth methods':

!matthias = B10ScMa6
smb = *

I always become unix-user 'smb' (the default for 'all authenticated users') when
accessing the samba server as 'B10ScMa6'. If I remove the "smb = *" entry, I can
connect correctly (this is *new* for
Samba 3.0.4, IIRC), but I have no default for 'all authenticated users'.



As a workaround, I found the following:

If I add another line for each(!) user with the form:

<unix-account> = <Domain of WinUser>\<unix-account>

things are working as expected. For the example above the usermapping file now
looks:

!matthias = B10ScMa6
!matthias = WW003\matthias
smb = *

Where "WW003" is the domain of "B10ScMa6". With this additional line I work as
'matthias' on the samba-server and not as user 'smb' if I access the share from
a windows machine as user 'B10ScMa6'.


If I remove the line "!matthias = WW003\matthias" and add "auth methods = guest
sam_ignoredomain ntdomain" in 'smb.conf', I'm the default user 'smb' again - so
your suggestion does not change anything.


Regards - Matthias
Comment 4 Davide Bolcioni 2004-06-29 09:42:50 UTC 
The same occurred to me, log excerpt follows:
...
[2004/06/29 17:58:54, 3, effective(0, 0), real(0, 0)]
lib/username.c:map_username(173) Mapped user Davide to ntadm
...
[2004/06/29 17:58:54, 3, effective(0, 0), real(0, 0)]
auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[BANCHEDATI]\[Davide]@[DBOLCIONI] with the new password interface
[2004/06/29 17:58:54, 3, effective(0, 0), real(0, 0)]
auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [BANCHEDATI]\[ntadm]@[DBOLCIONI]
...
[2004/06/29 17:58:54, 3, effective(0, 0), real(0, 0)]
lib/username.c:map_username(173)
  Mapped user BANCHEDATI\ntadm to ntguest
...

In my case, user Davide is a regular domain user, not a Unix-only user; winbindd
is not in use. The workaround suggested above works; a brief look in CVS for
map_username() of username.c revision 1.8 suggests that said function is
unexpectedly called more than once, hence the double mapping and the workaround.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2004-07-06 14:41:22 UTC 
Created attachment 559 [details]
make sure map_username() is only called once per session.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2004-07-06 14:41:57 UTC 
marking as fixed.  Please let me know if otherwise.
Comment 7 Matthias Schuendehuette 2004-07-13 02:49:49 UTC 
Hello,

yes, I confirm that this buf is fixed. I applied the patch against samba 3.0.4
and it now works as expected.

Thank you for your effort!

Matthias
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:20:00 UTC 
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.