Bug 698 - secutity=ads - Problem with username map
secutity=ads - Problem with username map
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.0
All Linux
: P3 normal
: 3.0.1
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-10-30 04:52 UTC by maurer
Modified: 2005-11-14 09:29 UTC (History)
0 users

See Also:


Attachments
apply username map to krb logins (1.20 KB, patch)
2003-11-04 19:41 UTC, Gerald (Jerry) Carter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description maurer 2003-10-30 04:52:27 UTC
I have successfully joined a samba 3.0.1rc server with security=ads to a W2k
AD-Server.
Connecting to a share works fine.
Our testuser has in AD a differnt username than on Unix (NIS)
Therefore we use a username map.
this is the log when connecting to the share
 NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
[2003/10/30 08:34:38, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286)
 Got user=[maurerh] domain=[DLR] workstation=[ADRMPC042] len1=24 len2=24

When I try to connect to the computer
with the MS Snap-In "Admin-Computer" (Computer verwalten in german)
access is denied and samba logs the following:

NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
[2003/10/29 16:34:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
 Got OID 1 2 840 48018 1 2 2
[2003/10/29 16:34:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
 Got OID 1 2 840 113554 1 2 2
[2003/10/29 16:34:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
 Got OID 1 3 6 1 4 1 311 2 2 10
[2003/10/29 16:34:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(388)
 Got secblob of size 1270
[2003/10/29 16:34:42, 3] smbd/sesssetup.c:reply_spnego_kerberos(178)
 Ticket name is [maurerh@INTRA.DLR.DE]
[2003/10/29 16:34:42, 1] smbd/sesssetup.c:reply_spnego_kerberos(218)
 Username maurerh is invalid on this system
[2003/10/29 16:34:42, 3] smbd/error.c:error_packet(94)


If I create the local user maurerh on the linux machine
it works and i can connect. 

[root@rmcs01 pam.d]# more /etc/samba/smbusers
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
maurer = maurerh

[root@rmcs01 /root]# testparm | grep map

        username map = /etc/samba/smbusers
        map archive = No
Comment 1 Gerald (Jerry) Carter 2003-11-04 19:41:02 UTC
marked against 3.0.1pre1.  Patch uploaded.  Please test and 
let me know.  Thanks.
Comment 2 Gerald (Jerry) Carter 2003-11-04 19:41:33 UTC
Created attachment 239 [details]
apply username map to krb logins
Comment 3 Gerald (Jerry) Carter 2003-11-06 09:26:15 UTC
I'm pretty sure this is ok.  CHecking it in to CVS
since I'm an impatient person and like to close out bugs.
:-)
Comment 4 Sridhar Pammu 2003-11-12 04:54:18 UTC
I believe that this bug has not quite been fixed yet.

The patch of 2003-11-04 (now incorporated into samba-3.0.1pre2) does attempt
to map the user, but it fails to strip the lp_winbind_separator from the
mapped username.

Changing line 975 (of 3.0.1pre2) from

        fstrcpy( mapped_username, p );
to
        fstrcpy( mapped_username, p+1 );

should resolve this problem.

Comment 5 Sridhar Pammu 2003-11-12 04:59:13 UTC
Forgot to add above, the file in question is auth/auth_util,c, and
the function is smb_getpwnam.
Comment 6 Gerald (Jerry) Carter 2003-11-12 05:51:26 UTC
This was my goof.  Already fixed in the CVS tree 
(a few hours after 3.01.pre2).  Sorry.
Comment 7 Gerald (Jerry) Carter 2005-08-24 10:18:57 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 8 Gerald (Jerry) Carter 2005-11-14 09:29:28 UTC
database cleanup