Although I really do not have time for this, here is a follow-up to #1772: https://bugzilla.samba.org/show_bug.cgi?id=1772 1. Installed is Mandrake cooker 3.0.10 samba server: # rpm -q samba-server samba-server-3.0.10-1mdk 2. Using a basic /etc/samba/smb.conf: #======================= Global Settings ===================================== [global] workgroup = ERALTEST server string = Samba Server %v log file = /var/log/samba/log.%m max log size = 50 log level = 10 security = user encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd ; Next line is default. Uncommenting it does not change anything ; username map = /etc/samba/smbusers socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writable = yes #============================ End of smb.conf ================================ 3. Create two linux users with linux passwords: # useradd linuser1 # passwd linuser1 # useradd linuser2 # passwd linuser2 4. Create two samba users with samba passwords: # smbpasswd -a linuser1 # smbpasswd -a linuser2 5. Map linuser1 to sambauser1: # echo > /etc/samba/smbusers << EOF > linuser1 = sambauser1 > linuser2 = linuser2 > EOF 6. start smb: # service smb start Starting SMB services: [ OK ] Starting NMB services: [ OK ] 7. Check the share for sambauser1 with linuser1 samba passwd: $ smbclient -L this.smb.serv.ip -d 10 -U sambauser1 -W ERALTEST ... session setup failed: NT_STATUS_LOGON_FAILURE 8. Check the share for linuser2 with linuser2 samba passwd: $ smbclient -L this.smb.serv.ip -U linuser2 -W ERALTEST Password: Domain=[ERAL] OS=[Unix] Server=[Samba 3.0.10] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba Server 3.0.10) ADMIN$ IPC IPC Service (Samba Server 3.0.10) linuser2 Disk Home Directories Domain=[ERAL] OS=[Unix] Server=[Samba 3.0.10] Server Comment --------- ------- Workgroup Master --------- ------- ERALTEST 9. Conclusion: Or I am doing something wrong, or user mapping is b0rked. I am reluctant to post the logs here, but this case is simple enough and should not take long to reproduce. I see the same kind of problems with 3.0.9 on Suse and Fedora C3 using security = domain, when FC3 3.0.8 works with the exact same config files. Since the last releases are security fixes, I set the severity to critical.
OK. For this test case, I was missing a domain master = yes line in smb.conf But for security = domain, the fix has been found by Kaare Hviid on Debian. Many thanks to him. The smbusers file must in that case contain lines like: linuser1 = DOMAIN\sambauser1 This is not documented in smb.conf man page, not backward compatible and will not work when security is set to user.
This was documented in the WHATSNEW. Did you read the release notes?
I read it... today :\ But from: "Previous Samba releases would only support reading the fully qualified username (e.g. DOMAIN\user) from the username map when performing a kerberos login from a client. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent behavior sometimes even on the same server. Samba 3.0.8 obeys the following rules when applying the username map functionality: * When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection. * When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated." Should I logically go straight to smbusers and add the domain name in front of all users? /me thinks it would be nice to have something clearer under the SECURITY=DOMAIN section of the smb.conf man page (that's why I lowered the priority and set the component to Docs). Wouldn't you agree? I know I am dumb, but I cannot be the only one bitten by that modification. I closed the bug on RH with the explanation, hopefully that will help a bit.
updating qa contact