Bug 698 - secutity=ads - Problem with username map
Summary: secutity=ads - Problem with username map
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.0
Hardware: All Linux
: P3 normal
Target Milestone: 3.0.1
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-10-30 04:52 UTC by maurer
Modified: 2005-11-14 09:29 UTC (History)
0 users

See Also:

Attachments
apply username map to krb logins (1.20 KB, patch)
2003-11-04 19:41 UTC, Gerald (Jerry) Carter (dead mail address) 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description maurer 2003-10-30 04:52:27 UTC 
I have successfully joined a samba 3.0.1rc server with security=ads to a W2k
AD-Server.
Connecting to a share works fine.
Our testuser has in AD a differnt username than on Unix (NIS)
Therefore we use a username map.
this is the log when connecting to the share
 NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
[2003/10/30 08:34:38, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286)
 Got user=[maurerh] domain=[DLR] workstation=[ADRMPC042] len1=24 len2=24

When I try to connect to the computer
with the MS Snap-In "Admin-Computer" (Computer verwalten in german)
access is denied and samba logs the following:

NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
[2003/10/29 16:34:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
 Got OID 1 2 840 48018 1 2 2
[2003/10/29 16:34:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
 Got OID 1 2 840 113554 1 2 2
[2003/10/29 16:34:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
 Got OID 1 3 6 1 4 1 311 2 2 10
[2003/10/29 16:34:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(388)
 Got secblob of size 1270
[2003/10/29 16:34:42, 3] smbd/sesssetup.c:reply_spnego_kerberos(178)
 Ticket name is [maurerh@INTRA.DLR.DE]
[2003/10/29 16:34:42, 1] smbd/sesssetup.c:reply_spnego_kerberos(218)
 Username maurerh is invalid on this system
[2003/10/29 16:34:42, 3] smbd/error.c:error_packet(94)


If I create the local user maurerh on the linux machine
it works and i can connect. 

[root@rmcs01 pam.d]# more /etc/samba/smbusers
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
maurer = maurerh

[root@rmcs01 /root]# testparm | grep map

        username map = /etc/samba/smbusers
        map archive = No
Comment 1 Gerald (Jerry) Carter (dead mail address) 2003-11-04 19:41:02 UTC 
marked against 3.0.1pre1.  Patch uploaded.  Please test and 
let me know.  Thanks.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2003-11-04 19:41:33 UTC 
Created attachment 239 [details]
apply username map to krb logins
Comment 3 Gerald (Jerry) Carter (dead mail address) 2003-11-06 09:26:15 UTC 
I'm pretty sure this is ok.  CHecking it in to CVS
since I'm an impatient person and like to close out bugs.
:-)
Comment 4 Sridhar Pammu 2003-11-12 04:54:18 UTC 
I believe that this bug has not quite been fixed yet.

The patch of 2003-11-04 (now incorporated into samba-3.0.1pre2) does attempt
to map the user, but it fails to strip the lp_winbind_separator from the
mapped username.

Changing line 975 (of 3.0.1pre2) from

        fstrcpy( mapped_username, p );
to
        fstrcpy( mapped_username, p+1 );

should resolve this problem.
Comment 5 Sridhar Pammu 2003-11-12 04:59:13 UTC 
Forgot to add above, the file in question is auth/auth_util,c, and
the function is smb_getpwnam.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2003-11-12 05:51:26 UTC 
This was my goof.  Already fixed in the CVS tree 
(a few hours after 3.01.pre2).  Sorry.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:18:57 UTC 
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:29:28 UTC 
database cleanup