Bug 3043 - username mapping does not work in 'security = domain'
username mapping does not work in 'security = domain'
Status: RESOLVED INVALID
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.14a
Sparc Solaris
: P3 regression
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-25 10:42 UTC by Eric Boehm
Modified: 2005-08-29 08:27 UTC (History)
0 users

See Also:


Attachments
Top-level smb.conf (1.26 KB, text/plain)
2005-08-25 11:48 UTC, Eric Boehm
no flags Details
Global settings smb.conf (3.34 KB, text/plain)
2005-08-25 11:49 UTC, Eric Boehm
no flags Details
Shares smb.conf for host (2.99 KB, text/plain)
2005-08-25 11:49 UTC, Eric Boehm
no flags Details
username map (17 bytes, text/plain)
2005-08-25 11:50 UTC, Eric Boehm
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Boehm 2005-08-25 10:42:18 UTC
I was able to connect to a service in Samba 2.2.8a as a mapped user. This now
fails under Samba 3.0.14a. I am not able to get Samba 3.0.20pre2 or 3.0.20 smbd
to run successfully. It fails with a SEGV.

From samba 2.2.8a (excerpts from level 10 log)
[2005/08/25 13:31:11, 3, pid=29053] smbd/reply.c:(880)
  Domain=[americase]  NativeOS=[Windows 2002 Service Pack 2 2600]
NativeLanMan=[Windows 2002 5.1]
[2005/08/25 13:31:11, 3, pid=29053] smbd/reply.c:(890)
  sesssetupX:name=[pnmadm09]
[2005/08/25 13:31:11, 3, pid=29053] lib/username.c:(168)
  Mapped user pnmadm09 to boehm
[2005/08/25 13:31:11, 3, pid=29053] libsmb/namequery.c:(769)
  resolve_lmhosts: Attempting lmhosts lookup for name ZRTPD0PP<0x20>
[2005/08/25 13:31:11, 3, pid=29053] lib/util_sock.c:(845)
  Connecting to 47.140.205.113 at port 445
[2005/08/25 13:31:12, 3, pid=29053] smbd/password.c:(336)
  uid 20718 registered to name boehm
[2005/08/25 13:31:12, 3, pid=29053] smbd/password.c:(338)
  Clearing default real name
[2005/08/25 13:31:12, 3, pid=29053] smbd/password.c:(340)
  User name: boehm      Real name: Eric Boehm,0904459
[2005/08/25 13:31:12, 3, pid=29053] smbd/password.c:(736)
  authorise_login: ACCEPTED: validated uid ok as non-guest (user=boehm)
[2005/08/25 13:31:12, 1, pid=29053] smbd/service.c:(636)
  boehm-1 (47.143.20.49) connect to service export as user boehm (uid=20718,
gid=2245) (pid 29053)

From 3.0.14a logs
1. Connecting as user boehm
[2005/08/25 13:29:28, 3, pid=28608] ../source/libsmb/ntlmssp.c:(606)
  Got user=[BOEHM] domain=[AMERICASE] workstation=[BOEHM-1] len1=24 len2=24
[2005/08/25 13:29:29, 3, pid=28608] ../source/auth/auth.c:(219)
  check_ntlm_password:  Checking password for unmapped user [AMERICASE]\[BOEHM]@
[BOEHM-1] with the new password interface
[2005/08/25 13:29:30, 2, pid=28608] ../source/auth/auth.c:(305)
  check_ntlm_password:  authentication for user [BOEHM] -> [BOEHM] -> [boehm]
succeeded
[2005/08/25 13:29:30, 3, pid=28608] ../source/smbd/password.c:(241)
  UNIX uid 20718 is UNIX user boehm, and will be vuid 101
[2005/08/25 13:29:30, 1, pid=28608] ../source/smbd/service.c:(642)
  boehm-1 (47.143.20.49) connect to service export initially as user boehm
(uid=20718, gid=2245) (pid 28608)

2. Connect as user pnmadm09 which is mapper to boehm
[2005/08/25 13:30:02, 3, pid=28786] ../source/libsmb/ntlmssp.c:(606)
  Got user=[pnmadm09] domain=[americase] workstation=[BOEHM-1] len1=24 len2=24
[2005/08/25 13:30:03, 2, pid=28786] ../source/auth/auth.c:(312)
  check_ntlm_password:  Authentication for user [pnmadm09] -> [boehm] FAILED wit
h error NT_STATUS_NO_SUCH_USER

Level 10 logs are available
Comment 1 Gerald (Jerry) Carter 2005-08-25 11:08:30 UTC
don't suppose you read the release notes did you?
This was in 3.0.8.  See if it applies to you.

======================
Change in Username Map
======================

Previous Samba releases would only support reading the fully qualified
username (e.g. DOMAIN\user) from the username map when performing a
kerberos login from a client.  However, when looking up a map
entry for a user authenticated by NTLM[SSP], only the login name would be
used for matches.  This resulted in inconsistent behavior sometimes
even on the same server.

Samba 3.0.8 obeys the following rules when applying the username
map functionality:

  * When performing local authentication, the username map is
    applied to the login name before attempting to authenticate
    the connection.
  * When relying upon a external domain controller for validating
    authentication requests, smbd will apply the username map
    to the fully qualified username (i.e. DOMAIN\user) only
    after the user has been successfully authenticated.

Comment 2 Gerald (Jerry) Carter 2005-08-25 11:28:43 UTC
Eric, could you attach your smb.conf and your current username 
map file?  Thanks.
Comment 3 Eric Boehm 2005-08-25 11:48:40 UTC
Created attachment 1400 [details]
Top-level smb.conf

Jerry asked me to attach my smb.conf (really 3 files, smb.conf,
smb.conf.global.`hostname` and smb.conf.shares.`hostname`) and my username.map
Comment 4 Eric Boehm 2005-08-25 11:49:05 UTC
Created attachment 1401 [details]
Global settings smb.conf

Jerry asked me to attach my smb.conf (really 3 files, smb.conf,
smb.conf.global.`hostname` and smb.conf.shares.`hostname`) and my username.map
Comment 5 Eric Boehm 2005-08-25 11:49:28 UTC
Created attachment 1402 [details]
Shares smb.conf for host

Jerry asked me to attach my smb.conf (really 3 files, smb.conf,
smb.conf.global.`hostname` and smb.conf.shares.`hostname`) and my username.map
Comment 6 Eric Boehm 2005-08-25 11:50:19 UTC
Created attachment 1403 [details]
username map

Jerry asked me to attach my smb.conf (really 3 files, smb.conf,
smb.conf.global.`hostname` and smb.conf.shares.`hostname`) and my username.map

Attached username.map has
boehm = pnmadm09

I later found that

boehm = americase\pnmadm09

or 

americase\boehm = americase\pnmadm09 

will work after all
Comment 7 Gerald (Jerry) Carter 2005-08-29 08:27:46 UTC
Eric says he got it to work so closing bug.