This happens: [root@cvs root]# getent passwd CVS$ [root@cvs root]# getent passwd CVS$£ CVS$£:x:10042:90013:cvs:/tmp:/bin/bash [root@cvs root]# I stumbled across this because I made a typo!! :-) I have Samba 3.0.0 running on "CVS", a RedHat 9 system, as a domain member. The domain is OFFICE.CARROT.NO. The domain controller is a Windows 2000 SP3 box called MAILSERVER. CVS has UTF8 disabled (.UTF8 removed in /etc/sysconfig/i18n), but enabeling it does not change the behavior. I stumbled across the problem when I tried to set up Backup Exec, which seems to authenticate with machine accounts. I can reproduce the error on another system, which has a simmilar role in another network. That system is running RedHat 8. My smb.conf on CVS looks like this: [global] workgroup = OFFICE realm = OFFICE.CARROT.NO server string = CVS Server load printers = no log file = /var/log/samba/log.%m log level = 5 max log size = 50 security = ads password server = 193.91.146.220 encrypt passwords = yes unix password sync = yes winbind separator = / winbind use default domain = yes winbind uid = 10000-20000 winbind gid = 90000-99000 winbind enum users = yes winbind enum groups = yes template homedir = /tmp template shell = /bin/bash socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no os level = 2 domain master = no dns proxy = no [cvs-home$] path = /home comment = All CVS repositories browsable = no writable = no force user = root valid users = "OFFICE/Domain Admins" ------------------------------------------------------------------------------------------------------- log.winbind gets the following events when I try getent passwd MAILSERVER$£, but the query still succeeds. [2003/11/06 11:53:55, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(231) [ 3892]: request interface version [2003/11/06 11:53:55, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267) [ 3892]: request location of privileged pipe [2003/11/06 11:53:55, 5] nsswitch/winbindd.c:winbind_client_read(462) read failed on sock 18, pid 3892: EOF [2003/11/06 11:53:55, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(112) [ 3892]: getpwnam MAILSERVER$£ [2003/11/06 11:53:55, 3] lib/charcnv.c:convert_string_allocate(444) convert_string_allocate: Conversion error: Illegal multibyte sequence(£) [2003/11/06 11:53:55, 3] nsswitch/winbindd_ads.c:name_to_sid(312) ads: name_to_sid ------------------------------------------------------------------------------------------------------ [root@cvs root]# rpm -qi samba Name : samba Relocations: /usr Version : 3.0.0 Vendor: (none) Release : 2 Build Date: Wed 01 Oct 2003 08:34:12 PM CEST Install Date: Wed 29 Oct 2003 08:40:36 AM CET Build Host: rh9 Group : System Environment/Daemons Source RPM: samba-3.0.0-2.src.rpm Size : 46448667 License: GNU GPL version 2 Signature : DSA/SHA1, Wed 01 Oct 2003 11:07:07 PM CEST, Key ID d7790a5f2f87af6f Packager : Gerald Carter [Samba-Team] <jerry@samba.org> Summary : The Samba SMB server.
The current behavior is by design IIRC. We'll probably have to add a new parameter to control the enumeration of machine accounts.
It is definetly a blocker wrt running Backup Exec. I had to create an account locally to work around it, which would have been very unpractical if the site was large. Could not the machine accounts just use UIDs from the user range? Is there any documentation of this design decision?
We are going to have to remove the 'don't show machine accounts' restriction. With kerberos logins allowing machines to log in, we don't really have a choice. (Previously, NTLM logins were simply not possible for machines, so it made less sense for it to work.) I would also object to 'yet another parameter' for this, it really should just be the default behaviour. In answer to Eivind's question, we should indeed simply allocate uids for this out of the UID pool.
Created attachment 246 [details] Remove $ termination checks I havn't tested this patch, but it simply removes the various checks that would have stopped accounts ending in $ from appearing.
This fix has been checked in for 3.0.2rc1
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
database cleanup