5035 – Username Mapping is Broken

Bug 5035 - Username Mapping is Broken

Summary: Username Mapping is Broken

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	User/Group Accounts (show other bugs)
Version:	3.0.23a
Hardware:	Sparc Windows XP

Importance:	P3 major
Target Milestone:	none
Assignee:	Gerald (Jerry) Carter (dead mail address)
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2007-10-23 07:27 UTC by Joel Silverstein
Modified:	2007-10-23 17:03 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joel Silverstein 2007-10-23 07:27:02 UTC

The user name mapping function in version is broken.
In version 2.2.8 samba used the users.map file to map the UNIX name to the Windows name.

In version 3, the file does not work. Samba does not validate the user. It asks for a user name and password and no combination of user name and password works.

Comment 1 Gerald (Jerry) Carter (dead mail address) 2007-10-23 08:53:04 UTC

Please make sure to read the section on username mapping in 
the WHATSNEW.txt.  I do not see any unexpected failure cases
regarding username maps or the username map script options.

Comment 2 Joel Silverstein 2007-10-23 09:37:06 UTC

I have looked at WHATSNEW.txt. There is no specific section on username mapping. The documentation I can find says that the "username mapping" variable in smb.conf is still supported. I can find no way to map a pc id to a unix id without samba asking for a username and passwod when trying to connect to a share.

Comment 3 Gerald (Jerry) Carter (dead mail address) 2007-10-23 09:44:50 UTC

Maybe this doesn't pertain to you but there certainly is information in 
the release notes about username mapping.  From the section regarding 
Samba 3.0.8:

======================
Change in Username Map
======================

Previous Samba releases would only support reading the fully qualified
username (e.g. DOMAIN\user) from the username map when performing a
Kerberos login from a client.  However, when looking up a map
entry for a user authenticated by NTLM[SSP], only the login name would be
used for matches.  This resulted in inconsistent behavior sometimes
even on the same server.

Samba 3.0.8 obeys the following rules when applying the username
map functionality:

  * When performing local authentication, the username map is
    applied to the login name before attempting to authenticate
    the connection.
  * When relying upon a external domain controller for validating
    authentication requests, smbd will apply the username map
    to the fully qualified username (i.e. DOMAIN\user) only
    after the user has been successfully authenticated.

.....

In any case, there's not enough information in your original report to 
make an educated guess on.  Please attach your smb.conf file at a minimum.

Comment 4 Joel Silverstein 2007-10-23 17:03:24 UTC

I changed the map file to DOMAIN\userid and that fixed the problem.
Thanks for the help.
Joel Silverstein