Bug 4415 - Long usernames mapping in the username.map
Summary: Long usernames mapping in the username.map
Status: NEW
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.24
Hardware: Sparc Solaris
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2007-02-26 09:41 UTC by Martin Kraemer
Modified: 2007-02-26 09:45 UTC (History)
0 users

See Also:

Patch to map long usernames in "security=domain" mode (799 bytes, patch)
2007-02-26 09:45 UTC, Martin Kraemer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Kraemer 2007-02-26 09:41:43 UTC
When long usernames are used, Samba IMO fails to map them in all situations to/from their local representation. A customer of ours reported such a problem in a Samba "as Domain client" environment ("security = domain") using a WINDOWS2003-PDC. All users with names shorter than 9 characters had no problem authenticating, but all users with names longer than 8 chars were rejected by the PDC (Samba error NT_STATUS_NO_SUCH_USER).
Since I have no PDC under my conbtrol, I tried it with "security = server", but then Samba authenticates correctly using the mapped user name (verified using tcpdump).

As a workaround, I suggested to the customer to add the username to username.map _including the domain name_, i.e., 
--snip-- username.map:
which fixed it for him.

But perhaps the following patch would also fix the problem in Samba:
--- samba-3.0.24.orig/source/auth/auth_util.c   2007-02-04 19:59:14.000000000 +0100
+++ samba-3.0.24/source/auth/auth_util.c        2007-02-26 11:19:55.736309000 +0100
@@ -1596,6 +1596,10 @@ struct passwd *smb_getpwnam( TALLOC_CTX 
                fstrcpy( strip_username, p );
                fstrcpy( username, strip_username );
+#if 1 /* Think of a "username = LONGUSERNAME" mapping in the username.map (for DOM\LONGUSERNAME) */
+               /* The name as used for SAM authentication may have been mapped locally */
+               map_username(username);
        /* just lookup a plain username */
Comment 1 Martin Kraemer 2007-02-26 09:45:46 UTC
Created attachment 2310 [details]
Patch to map long usernames in "security=domain" mode

I am unsure if this is a user/configuration or a documentation problem. Are users supposed to add the domain name to username.map mappings, or should Samba imply the domain when mapping the user names?
If the domain should always be present in username.map, then the docs should make this clearer.