Bug 722 - Winbind only resolves machine accounts when a £-sign is added
Summary: Winbind only resolves machine accounts when a £-sign is added
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.0
Hardware: All other
: P2 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
Depends on:
Blocks: 807
  Show dependency treegraph
Reported: 2003-11-06 02:58 UTC by Eivind Trondsen
Modified: 2005-11-14 09:25 UTC (History)
1 user (show)

See Also:

Remove $ termination checks (3.67 KB, patch)
2003-11-10 16:50 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Eivind Trondsen 2003-11-06 02:58:16 UTC
This happens: 
[root@cvs root]#  getent passwd CVS$ 
[root@cvs root]#  getent passwd CVS$£ 
[root@cvs root]# 
I stumbled across this because I made a typo!!  :-) 
I have Samba 3.0.0 running on "CVS", a RedHat 9 system, as a domain member. 
The domain is OFFICE.CARROT.NO. The domain controller is a Windows 2000 SP3 box called 
MAILSERVER. CVS has UTF8 disabled (.UTF8 removed in /etc/sysconfig/i18n), but enabeling it 
does not change the behavior. 
I stumbled across the problem when I tried to set up Backup Exec, which seems to 
authenticate with machine accounts. 
I can reproduce the error on another system, which has a simmilar role in another network. 
That system is running RedHat 8. 
My smb.conf on CVS looks like this: 
   workgroup = OFFICE 
   realm = OFFICE.CARROT.NO 
   server string = CVS Server 
   load printers = no 
   log file = /var/log/samba/log.%m 
   log level = 5 
   max log size = 50 
   security = ads 
   password server = 
   encrypt passwords = yes 
   unix password sync = yes 
   winbind separator = / 
   winbind use default domain = yes 
   winbind uid = 10000-20000 
   winbind gid = 90000-99000 
   winbind enum users = yes 
   winbind enum groups = yes 
   template homedir = /tmp 
   template shell = /bin/bash 
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 
   local master = no 
   os level = 2 
   domain master = no 
   dns proxy = no 
   path = /home 
   comment = All CVS repositories 
   browsable = no 
   writable = no 
   force user = root 
   valid users = "OFFICE/Domain Admins" 
log.winbind gets the following events when I try getent passwd MAILSERVER$£, but the query 
still succeeds. 
[2003/11/06 11:53:55, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(231) 
  [ 3892]: request interface version 
[2003/11/06 11:53:55, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267) 
  [ 3892]: request location of privileged pipe 
[2003/11/06 11:53:55, 5] nsswitch/winbindd.c:winbind_client_read(462) 
  read failed on sock 18, pid 3892: EOF 
[2003/11/06 11:53:55, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(112) 
  [ 3892]: getpwnam MAILSERVER$£ 
[2003/11/06 11:53:55, 3] lib/charcnv.c:convert_string_allocate(444) 
  convert_string_allocate: Conversion error: Illegal multibyte sequence(£) 
[2003/11/06 11:53:55, 3] nsswitch/winbindd_ads.c:name_to_sid(312) 
  ads: name_to_sid 
[root@cvs root]# rpm -qi samba 
Name        : samba                        Relocations: /usr 
Version     : 3.0.0                             Vendor: (none) 
Release     : 2                             Build Date: Wed 01 Oct 2003 08:34:12 PM CEST 
Install Date: Wed 29 Oct 2003 08:40:36 AM CET      Build Host: rh9 
Group       : System Environment/Daemons    Source RPM: samba-3.0.0-2.src.rpm 
Size        : 46448667                         License: GNU GPL version 2 
Signature   : DSA/SHA1, Wed 01 Oct 2003 11:07:07 PM CEST, Key ID d7790a5f2f87af6f 
Packager    : Gerald Carter [Samba-Team] <jerry@samba.org> 
Summary     : The Samba SMB server.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2003-11-06 07:46:52 UTC
The current behavior is by design IIRC.  We'll probably have to 
add a new parameter to control the enumeration of machine 

Comment 2 Eivind Trondsen 2003-11-06 11:55:50 UTC
It is definetly a blocker wrt running Backup Exec. I had to create an account locally to work 
around it, which would have been very unpractical if the site was large. 
Could not the machine accounts just use UIDs from the user range? 
Is there any documentation of this design decision? 
Comment 3 Andrew Bartlett 2003-11-08 15:08:04 UTC
We are going to have to remove the 'don't show machine accounts' restriction. 
With kerberos logins allowing machines to log in, we don't really have a choice.  
(Previously, NTLM logins were simply not possible for machines, so it made less
sense for it to work.)

I would also object to 'yet another parameter' for this, it really should just
be the default behaviour.

In answer to Eivind's question, we should indeed simply allocate uids for this
out of the UID pool.
Comment 4 Andrew Bartlett 2003-11-10 16:50:03 UTC
Created attachment 246 [details]
Remove $ termination checks

I havn't tested this patch, but it simply removes the various checks that would
have stopped accounts ending in $ from appearing.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2004-01-14 13:10:19 UTC
This fix has been checked in for 3.0.2rc1
Comment 6 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:22:01 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:25:47 UTC
database cleanup