Bug 445 - Add user script is not called when kerberos authentication is used
Summary: Add user script is not called when kerberos authentication is used
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.0preX
Hardware: Other Linux
: P3 normal
Target Milestone: none
Assignee: Jeremy Allison
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-09-12 07:37 UTC by Duane Rezac
Modified: 2005-08-24 10:24 UTC (History)
0 users

See Also:


Attachments
Possible patch for Add User script problem (1.03 KB, patch)
2003-09-17 09:57 UTC, Duane Rezac
no flags Details
Proposed patch. (1.08 KB, patch)
2003-12-05 18:32 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Duane Rezac 2003-09-12 07:37:36 UTC
When using Kerberos authentication from a windows 2000 workstation, the add 
user script is not called and the attempt to connect to samba fails with 
a "Usernanme xxxxxxx is invalid on this system" error (xxxxx=the user name) if 
the user does not exist in the /ect/passwd file. This error is from 
smbd/sesssetup.c:reply_spnego_kerberos(218).  Looking at the source, it calls 
Get_Pwnam(user) to see if the user is in the /etc/passwd file. If this fails, 
no attempt is made to add the user via the add user script. The kerberos 
authentication was successful - the client did get a ticket and all user 
information was found from the ADS domain controller. Other authentication 
methods work fine with the add user script.
Comment 1 Lorentz Shyu 2003-09-12 14:59:25 UTC
I am experiencing the same errors, but if I access the samba machine using its
IP address (or the DNS name, iff it is different from the netbios name) rather
than the netbios name, the add user script is called normally, and the user is
allowed access to the samba shares.
Comment 2 Duane Rezac 2003-09-15 10:17:59 UTC
I attempted to connect using the IP address as indicated in Lorentz Shyu's 
comments. The add user script worked, but looking at the debug trace,it worked 
because when connecting with the IP address, samba was using ntlm 
authentication, not kerberos.  No kerberos ticket was issued. 

Comment 3 Duane Rezac 2003-09-16 09:27:29 UTC
I have tested this against Rc4 - same results.  
Comment 4 Duane Rezac 2003-09-17 09:57:51 UTC
Created attachment 147 [details]
Possible patch for Add User script problem

I have experimented with the attached patch.  It is code borrowed from
srv_samr_nt.c that adds the user to /etc/passwd if the user does not exist.
This should be reviewed by someone who is more familiar with the authentication
procudeure that I am - while it seems to solve my particular issue, I don't
know how it would affect other authentication methods, and there may be a
better place in the code to address this issue.

** USE AT YOUR OWN RISK **
Comment 5 Jeremy Allison 2003-12-05 18:32:48 UTC
Created attachment 305 [details]
Proposed patch.

I prefer this. Can you check if this fixes the problem ?
Jeremy.
Comment 6 Jeremy Allison 2003-12-05 18:34:25 UTC
I think this patch fixes the problem. Please re-open if not.
Jeremy.
Comment 7 Duane Rezac 2003-12-09 07:49:31 UTC
I have tested the new patch on 3.0.1rc1 on Debian Woody.  While it does add the
user's account to /etc/passwd, it also adds the computer that the user is
currently connecting from to /ect/passwd also.
for example if the user's login is foo, and he's connecting from a computer
named fubar, I'll get both a password entry for foo and one for fubar$ added to
/etc/passwd. 
rpc_server/srv_samr_nt.c has an example of where a check is done before calling
the add use script to determine if the name is a computer trust account by
looking for a $ a the end of the name.
Comment 8 Jeremy Allison 2003-12-09 10:34:32 UTC
Added machine account check.
Jeremy.
Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:05:41 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 10 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:24:37 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.