Bug 445 - Add user script is not called when kerberos authentication is used
Add user script is not called when kerberos authentication is used
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
Other Linux
: P3 normal
: none
Assigned To: Jeremy Allison
Depends on:
  Show dependency treegraph
Reported: 2003-09-12 07:37 UTC by Duane Rezac
Modified: 2005-08-24 10:24 UTC (History)
0 users

See Also:

Possible patch for Add User script problem (1.03 KB, patch)
2003-09-17 09:57 UTC, Duane Rezac
no flags Details
Proposed patch. (1.08 KB, patch)
2003-12-05 18:32 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Duane Rezac 2003-09-12 07:37:36 UTC
When using Kerberos authentication from a windows 2000 workstation, the add 
user script is not called and the attempt to connect to samba fails with 
a "Usernanme xxxxxxx is invalid on this system" error (xxxxx=the user name) if 
the user does not exist in the /ect/passwd file. This error is from 
smbd/sesssetup.c:reply_spnego_kerberos(218).  Looking at the source, it calls 
Get_Pwnam(user) to see if the user is in the /etc/passwd file. If this fails, 
no attempt is made to add the user via the add user script. The kerberos 
authentication was successful - the client did get a ticket and all user 
information was found from the ADS domain controller. Other authentication 
methods work fine with the add user script.
Comment 1 Lorentz Shyu 2003-09-12 14:59:25 UTC
I am experiencing the same errors, but if I access the samba machine using its
IP address (or the DNS name, iff it is different from the netbios name) rather
than the netbios name, the add user script is called normally, and the user is
allowed access to the samba shares.
Comment 2 Duane Rezac 2003-09-15 10:17:59 UTC
I attempted to connect using the IP address as indicated in Lorentz Shyu's 
comments. The add user script worked, but looking at the debug trace,it worked 
because when connecting with the IP address, samba was using ntlm 
authentication, not kerberos.  No kerberos ticket was issued. 

Comment 3 Duane Rezac 2003-09-16 09:27:29 UTC
I have tested this against Rc4 - same results.  
Comment 4 Duane Rezac 2003-09-17 09:57:51 UTC
Created attachment 147 [details]
Possible patch for Add User script problem

I have experimented with the attached patch.  It is code borrowed from
srv_samr_nt.c that adds the user to /etc/passwd if the user does not exist.
This should be reviewed by someone who is more familiar with the authentication
procudeure that I am - while it seems to solve my particular issue, I don't
know how it would affect other authentication methods, and there may be a
better place in the code to address this issue.

Comment 5 Jeremy Allison 2003-12-05 18:32:48 UTC
Created attachment 305 [details]
Proposed patch.

I prefer this. Can you check if this fixes the problem ?
Comment 6 Jeremy Allison 2003-12-05 18:34:25 UTC
I think this patch fixes the problem. Please re-open if not.
Comment 7 Duane Rezac 2003-12-09 07:49:31 UTC
I have tested the new patch on 3.0.1rc1 on Debian Woody.  While it does add the
user's account to /etc/passwd, it also adds the computer that the user is
currently connecting from to /ect/passwd also.
for example if the user's login is foo, and he's connecting from a computer
named fubar, I'll get both a password entry for foo and one for fubar$ added to
rpc_server/srv_samr_nt.c has an example of where a check is done before calling
the add use script to determine if the name is a computer trust account by
looking for a $ a the end of the name.
Comment 8 Jeremy Allison 2003-12-09 10:34:32 UTC
Added machine account check.
Comment 9 Gerald (Jerry) Carter 2005-02-07 09:05:41 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 10 Gerald (Jerry) Carter 2005-08-24 10:24:37 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.