Bug 2219 - user mapping is ignored
user mapping is ignored
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: Docs
x86 Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba Documentation QA Contact~
Depends on:
  Show dependency treegraph
Reported: 2005-01-06 13:45 UTC by Eral Trmb
Modified: 2009-04-04 08:02 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Eral Trmb 2005-01-06 13:45:00 UTC
Although I really do not have time for this, here is a follow-up to #1772:


1. Installed is Mandrake cooker 3.0.10 samba server:
# rpm -q samba-server

2. Using a basic /etc/samba/smb.conf:
#======================= Global Settings =====================================
   workgroup = ERALTEST
   server string = Samba Server %v
   log file = /var/log/samba/log.%m
   max log size = 50
   log level = 10
   security = user
   encrypt passwords = yes
   smb passwd file = /etc/samba/smbpasswd
;  Next line is default. Uncommenting it does not change anything
;  username map = /etc/samba/smbusers
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no
#============================ Share Definitions ==============================
   comment = Home Directories
   browseable = no
   writable = yes
#============================ End of smb.conf ================================

3. Create two linux users with linux passwords:
# useradd linuser1
# passwd linuser1
# useradd linuser2
# passwd linuser2

4. Create two samba users with samba passwords:
# smbpasswd -a linuser1
# smbpasswd -a linuser2

5. Map linuser1 to sambauser1:
# echo > /etc/samba/smbusers << EOF
> linuser1 = sambauser1
> linuser2 = linuser2

6. start smb:
# service smb start
Starting SMB services:                                          [  OK  ]
Starting NMB services:                                          [  OK  ]

7. Check the share for sambauser1 with linuser1 samba passwd:
$ smbclient -L this.smb.serv.ip -d 10 -U sambauser1 -W ERALTEST
session setup failed: NT_STATUS_LOGON_FAILURE

8. Check the share for linuser2 with linuser2 samba passwd:
$ smbclient -L this.smb.serv.ip -U linuser2 -W ERALTEST
Domain=[ERAL] OS=[Unix] Server=[Samba 3.0.10]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba Server 3.0.10)
        ADMIN$          IPC       IPC Service (Samba Server 3.0.10)
        linuser2        Disk      Home Directories
Domain=[ERAL] OS=[Unix] Server=[Samba 3.0.10]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

9. Conclusion: Or I am doing something wrong, or user mapping is b0rked.
I am reluctant to post the logs here, but this case is simple enough and should
not take long to reproduce. I see the same kind of problems with 3.0.9 on Suse
and Fedora C3 using security = domain, when FC3 3.0.8 works with the exact same
config files. Since the last releases are security fixes, I set the severity to
Comment 1 Eral Trmb 2005-01-31 16:22:37 UTC
OK. For this test case, I was missing a domain master = yes line in smb.conf

But for security = domain, the fix has been found by Kaare Hviid on Debian. Many
thanks to him.

The smbusers file must in that case contain lines like:

linuser1 = DOMAIN\sambauser1

This is not documented in smb.conf man page, not backward compatible and will
not work when security is set to user.
Comment 2 Gerald (Jerry) Carter 2005-01-31 17:51:43 UTC
This was documented in the WHATSNEW.  Did you read the 
release notes?
Comment 3 Eral Trmb 2005-01-31 20:01:31 UTC
I read it... today :\

But from:

"Previous Samba releases would only support reading the fully qualified
username (e.g. DOMAIN\user) from the username map when performing a
kerberos login from a client.  However, when looking up a map
entry for a user authenticated by NTLM[SSP], only the login name would be
used for matches.  This resulted in inconsistent behavior sometimes
even on the same server.

Samba 3.0.8 obeys the following rules when applying the username
map functionality:

  * When performing local authentication, the username map is
    applied to the login name before attempting to authenticate
    the connection.
  * When relying upon a external domain controller for validating
    authentication requests, smbd will apply the username map
    to the fully qualified username (i.e. DOMAIN\user) only
    after the user has been successfully authenticated."

Should I logically go straight to smbusers and add the domain name in front of
all users?

/me thinks it would be nice to have something clearer under the SECURITY=DOMAIN
section of the smb.conf man page (that's why I lowered the priority and set the
component to Docs). Wouldn't you agree? I know I am dumb, but I cannot be the
only one bitten by that modification. I closed the bug on RH with the
explanation, hopefully that will help a bit.
Comment 4 Gerald (Jerry) Carter 2005-02-01 12:01:33 UTC
updating qa contact