When using Kerberos authentication from a windows 2000 workstation, the add user script is not called and the attempt to connect to samba fails with a "Usernanme xxxxxxx is invalid on this system" error (xxxxx=the user name) if the user does not exist in the /ect/passwd file. This error is from smbd/sesssetup.c:reply_spnego_kerberos(218). Looking at the source, it calls Get_Pwnam(user) to see if the user is in the /etc/passwd file. If this fails, no attempt is made to add the user via the add user script. The kerberos authentication was successful - the client did get a ticket and all user information was found from the ADS domain controller. Other authentication methods work fine with the add user script.
I am experiencing the same errors, but if I access the samba machine using its IP address (or the DNS name, iff it is different from the netbios name) rather than the netbios name, the add user script is called normally, and the user is allowed access to the samba shares.
I attempted to connect using the IP address as indicated in Lorentz Shyu's comments. The add user script worked, but looking at the debug trace,it worked because when connecting with the IP address, samba was using ntlm authentication, not kerberos. No kerberos ticket was issued.
I have tested this against Rc4 - same results.
Created attachment 147 [details] Possible patch for Add User script problem I have experimented with the attached patch. It is code borrowed from srv_samr_nt.c that adds the user to /etc/passwd if the user does not exist. This should be reviewed by someone who is more familiar with the authentication procudeure that I am - while it seems to solve my particular issue, I don't know how it would affect other authentication methods, and there may be a better place in the code to address this issue. ** USE AT YOUR OWN RISK **
Created attachment 305 [details] Proposed patch. I prefer this. Can you check if this fixes the problem ? Jeremy.
I think this patch fixes the problem. Please re-open if not. Jeremy.
I have tested the new patch on 3.0.1rc1 on Debian Woody. While it does add the user's account to /etc/passwd, it also adds the computer that the user is currently connecting from to /ect/passwd also. for example if the user's login is foo, and he's connecting from a computer named fubar, I'll get both a password entry for foo and one for fubar$ added to /etc/passwd. rpc_server/srv_samr_nt.c has an example of where a check is done before calling the add use script to determine if the name is a computer trust account by looking for a $ a the end of the name.
Added machine account check. Jeremy.
originally reported against one of the 3.0.0rc[1-4] releases. Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.