Bug 2546 - Winbind/Samba sees username without domain\ component
Winbind/Samba sees username without domain\ component
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.4
x86 Windows 2000
: P3 normal
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
http://lists.samba.org/archive/samba/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-24 10:26 UTC by Tyler
Modified: 2005-08-24 10:17 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tyler 2005-03-24 10:26:30 UTC
Overview
On a PC joined to a Windows domain, and logged into Windows as a domain user:
when using Windows Explorer to make an initial connection to a Samba share on a
Samba server joined to the same domain as the client, the connection fails and
the user is prompted for credentials in Windows. Upon entering domain\username
credentials, the connection succeeds.

Steps to Reproduce
Join Samba server as member server in a Windows domain. Join client to same
domain. Log in to client as valid domain user. Enter \\servername\sharename into
Windows Explorer. 

Actual Results
Username/password prompt appears in Windows.

Expected Results
Connection is made and the desired \\server\share appears in Windows Explorer
without a username/password prompt. This behavior is exhibited on Samba 2.2.

Additional Information
When Windows makes the initial connection before user is prompted in Windows:
#/var/log/samba.clienthostname
[2005/03/16 11:37:22, 0] auth/auth_util.c:make_server_info_info3(1120)
  make_server_info_info3: pdb_init_sam failed!
useradd: invalid user name 'USERNAME'
useradd: invalid user name 'USERNAME'
useradd: invalid user name 'USERNAME'

After user enters domain\username at Windows prompt:
#/var/log/samba.clienthostname
[2005/03/16 15:27:41, 1] smbd/service.c:make_connection_snum(619)
  clienthostname (1.2.3.4) connect to service sharename initially as
user username (uid=1000, gid=100) (pid 1016)

#/etc/samba/smb.conf
[global]
        workgroup = DOMAIN
        server string = Samba Server
        security = DOMAIN
        passdb backend = tdbsam:/etc/samba/private/passdb.tdb
        log file = /var/log/samba.%m
        max log size = 50
        add user script = /usr/sbin/useradd -g users %u
        dns proxy = No
        wins server = 1.2.3.4, 2.3.4.5
        ldap ssl = no
        idmap uid = 10000-200000
        idmap gid = 10000-200000
        winbind use default domain = Yes
        netbios name = SERVER
        password server = *

#/etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
hosts:          files dns
networks:       files
services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
bootparams:     files
automount:      files
aliases:        files

Patch from Schlomo Schapiro
-------------8<---------------
/* Parse a string of the form DOMAIN/user into a domain and a user */ /*
Changed by Schlomo to set the samba workgroup as default domain to integrate
domain users transparently
*/

void parse_domain_user(char *domuser, fstring domain, fstring user) {

        char *p;
        char *sep = lp_winbind_separator();
        char *workgroup = lp_workgroup();
        if (!sep) sep = "\\";
        p = strchr(domuser,*sep);
        if (!p) p = strchr(domuser,'\\');
        if (!p) {
                fstrcpy(domain,workgroup);
                fstrcpy(user, domuser);
                return;
        }
        
        fstrcpy(user, p+1);
        fstrcpy(domain, domuser);
        domain[PTR_DIFF(p, domuser)] = 0;
        strupper(domain);


}

----------------->8-------------------

Comments
It almost seems as if the initial connection by Windows is sending the
naked username, without the domain\ in front. Is there a way to tell
Winbind to add domain\ in front of naked usernames or something? As
you can see above I turned on 'winbind use default domain' but
obviously that does not fix the problem.
Comment 1 Gerald (Jerry) Carter 2005-03-24 11:16:57 UTC
is this really 3.0.4 ?  I can't reproduce this behavior
(and haven't seen it for a long time).  Can you retest 
against 3.0.13 ?  Thanks.
Comment 2 Tyler 2005-03-25 09:08:34 UTC
Yes, 'smbd --version' reports 3.0.4. It came with Slackware 10 and is on a
server that is about to go production. So I will have to try 3.0.13 on a
different Slackware 10 machine.
Comment 3 Tyler 2005-03-30 15:39:55 UTC
It works properly with 3.0.13; i.e., the first time Windows connects, a local
Linux system account is created and Windows does not prompt domain users on
domain PCs for logon credentials. This bug appears to be limited to 3.0.4, or is
a problem introduced by Slackware's method of packaging of Samba in their
distribution, or is a problem in my configuration. However, I copied the exact
same smb.conf over to my 3.0.13 box -- so I don't think it's the configuration.
Comment 4 Tyler 2005-03-30 16:06:58 UTC
Ah-HA!

Samba 3.0.4 passes a CAPITALIZED username to the add user script. The Linux
system utility 'useradd' does not accept ALL CAPS usernames. I wrote a little
script called myuseradd (below), which converts the uppercase username passed by
Samba to lowercase before passing it to the add user script. The lowercase
username is accepted by useradd, and this allows 3.0.4 to work properly, just
like 2.2 and 3.0.13. So it is a bug in 3.0.4 -- 3.0.4 should lowercase the
username string before passing it to the add user script.

Not sure what status you want to put on this bug now, Jerry.

#/bin/myuseradd
tolower ()             #  Converts string(s) passed as argument(s)
{                      #+ to lowercase.

  if [ -z "$1" ]       #  If no argument(s) passed,
  then                 #+ send error message
    echo "(null)"      #+ (C-style void-pointer error message)
    return             #+ and return from function.
  fi  

  echo "$@" | tr A-Z a-z
  # Translate all passed arguments ($@).

  return

# Use command substitution to set a variable to function output.
# For example:
#    oldvar="A seT of miXed-caSe LEtTerS"
#    newvar=`tolower "$oldvar"`
#    echo "$newvar"    # a set of mixed-case letters

}

useradd -g users `tolower "$@"`
Comment 5 Gerald (Jerry) Carter 2005-05-10 08:30:51 UTC
fixed in a later release.  verified by reporter.
Comment 6 Gerald (Jerry) Carter 2005-08-24 10:17:52 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.