The Samba-Bugzilla – Bug 445
Add user script is not called when kerberos authentication is used
Last modified: 2005-08-24 10:24:37 UTC
When using Kerberos authentication from a windows 2000 workstation, the add
user script is not called and the attempt to connect to samba fails with
a "Usernanme xxxxxxx is invalid on this system" error (xxxxx=the user name) if
the user does not exist in the /ect/passwd file. This error is from
smbd/sesssetup.c:reply_spnego_kerberos(218). Looking at the source, it calls
Get_Pwnam(user) to see if the user is in the /etc/passwd file. If this fails,
no attempt is made to add the user via the add user script. The kerberos
authentication was successful - the client did get a ticket and all user
information was found from the ADS domain controller. Other authentication
methods work fine with the add user script.
I am experiencing the same errors, but if I access the samba machine using its
IP address (or the DNS name, iff it is different from the netbios name) rather
than the netbios name, the add user script is called normally, and the user is
allowed access to the samba shares.
I attempted to connect using the IP address as indicated in Lorentz Shyu's
comments. The add user script worked, but looking at the debug trace,it worked
because when connecting with the IP address, samba was using ntlm
authentication, not kerberos. No kerberos ticket was issued.
I have tested this against Rc4 - same results.
Created attachment 147 [details]
Possible patch for Add User script problem
I have experimented with the attached patch. It is code borrowed from
srv_samr_nt.c that adds the user to /etc/passwd if the user does not exist.
This should be reviewed by someone who is more familiar with the authentication
procudeure that I am - while it seems to solve my particular issue, I don't
know how it would affect other authentication methods, and there may be a
better place in the code to address this issue.
** USE AT YOUR OWN RISK **
Created attachment 305 [details]
I prefer this. Can you check if this fixes the problem ?
I think this patch fixes the problem. Please re-open if not.
I have tested the new patch on 3.0.1rc1 on Debian Woody. While it does add the
user's account to /etc/passwd, it also adds the computer that the user is
currently connecting from to /ect/passwd also.
for example if the user's login is foo, and he's connecting from a computer
named fubar, I'll get both a password entry for foo and one for fubar$ added to
rpc_server/srv_samr_nt.c has an example of where a check is done before calling
the add use script to determine if the name is a computer trust account by
looking for a $ a the end of the name.
Added machine account check.
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.