Bug 3982 - after upgrade to 3.0.23a - problem if local username = domain user name
Summary: after upgrade to 3.0.23a - problem if local username = domain user name
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.23a
Hardware: Other Windows XP
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-08-01 10:51 UTC by Terry
Modified: 2006-08-22 11:20 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Terry 2006-08-01 10:51:49 UTC
I have samba 3.0.23a running on gentoo linux with AD domain authentication.
I have smbusers set up and some of domain users mapped to local users.

After the upgrade from 3.0.23 it seems that samba gets confused who the domain user is in case when domain username is the same as local's.

relevant samba log entry:

[2006/08/01 16:48:17, 1] smbd/service.c:make_connection_snum(941)
  10.0.0.35 (10.0.0.35) connect to service leszek initially as user leszek (uid=45085, gid=45001) (pid 29943)

leszek is local username. domain one was DOMAIN\leszek which is mapped to leszek in smbusers.

it seems that uid that is assigned comes from domain ids and not from local ids.
Comment 1 Jeremy Allison 2006-08-01 12:18:49 UTC
Can you post your smb.conf and more details on your setup please.
Jeremy.
Comment 2 Terry 2006-08-02 03:53:39 UTC
ok here it goes:

[global]
        dos charset = 852
        unix charset = ISO8859-2
        display charset = ISO8859-2
        workgroup = WORKGROUP
        realm = DOMAINNAME
        security = ADS
        map to guest = Bad User
        password server = PASSSERVER
        username map = /etc/samba/smbusers
        log level = 2
        log file = /var/log/samba/log.%m
        max log size = 50
        unix extensions = No
        max open files = 1000
        socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768
        load printers = No
        ldap ssl = no
        idmap uid = 45000-60000
        idmap gid = 45000-60000
        comment = Linux Samba server
        case sensitive = No

[homes]
        comment = Katalog domowy
        read only = No
        browseable = No

[samba]
        comment = samba mia
        path = /opt/samba
        admin users = doli
        read only = No
        guest ok = Yes

[archive]
        comment = Archive
        path = /big/archive
        valid users = @archive, DOMAIN\name, DOMAIN\name...
        admin users = doli, leszek
        force group = archive
        read only = No
        create mask = 0740
        force create mode = 0740
        browseable = No

and part of smbusers:

doli = DOMAIN\bartek
leszek = DOMAIN\leszek
wuda = DOMAIN\karol

these users in local group 'archive' (/etc/group)

before the change the way it worked:

- domain users that are in valid users list are not mapped to local users. they just get access to archive.
- domain user karol gets mapped to local user wuda, gets archive group assigned, therefore he gets access to archive
- domain user bartek gets connected as local user doli, gets archive group assigned, becomes admin of archive
- domain user leszek gets connected as local user leszek, gets archive group assigned and becomes admin of archive

now, the latest option stopped working.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2006-08-04 12:38:11 UTC
I think this is fixed in 3.0.23b (to be relese soon).
Please test the current SAMBA_3_0_RELEASE svn branch if possible.
Also available at rsync://rsync.samba.org/ftp/unpacked/samba_3_0_release
Comment 4 Terry 2006-08-17 12:16:30 UTC
i have tested last release (b)

the problem seems to go away BUT there is a new one!

it seems that the part allowing local user group to access archive does not work anymore.

doli is in local group archive, and is being mapped from domain user bartek.
doli is allowed to access to archive (@archive) + he is admin user of that share.

but it stopped working properly.
i have to put allow = doli to let doli log in.

if i don't - i get 'user doli is not permitted to access this share' error.

any ideas?
Comment 5 Gerald (Jerry) Carter (dead mail address) 2006-08-22 11:20:50 UTC
Please see the patch at 
http://www.samba.org/~jerry/patches/samba-3.0.23b-lookup_name_smbconf_v3.patch