When I log on as user 'dwoodhou' in the default domain (GER), cached credentials are added with the key 'dwoodhou'. When I then try to use ntlm_auth, it asks me for my password because it tries looking for cached credentials with the key 'GER\dwoodhou', and finds no match. (btw, should that be a hard-coded '\\'? The separator is configurable, isn't it?) This patch "fixes" it and perhaps highlights the problem more coherently than the above prose, but I'm not sure what this patch also breaks -- I assume this was conditional for a reason. --- source3/winbindd/winbindd_pam.c~ 2010-06-18 13:01:04.000000000 +0100 +++ source3/winbindd/winbindd_pam.c 2010-07-26 12:11:23.657507372 +0100 @@ -1489,7 +1489,7 @@ enum winbindd_result winbindd_dual_pam_a parse_domain_user(mapped_user, name_domain, name_user); - if ( mapped_user != state->request->data.auth.user ) { + if ( 1 || mapped_user != state->request->data.auth.user ) { fstr_sprintf( domain_user, "%s\\%s", name_domain, name_user ); safe_strcpy( state->request->data.auth.user, domain_user, sizeof(state->request->data.auth.user)-1 ); [root@i7 dwoodhou]# grep '^[^#;]' /etc/security/pam_winbind.conf [global] debug = yes debug_state = yes cached_login = yes krb5_auth = yes krb5_ccache_type = FILE mkhomedir = yes [root@i7 dwoodhou]# grep winbind /etc/samba/smb.conf winbind offline logon = true winbind refresh tickets = true # winbind separator = + # winbind uid = 10000-20000 # winbind gid = 10000-20000 winbind cache time = 15000 # winbind enum users = yes # winbind enum groups = yes winbind use default domain = yes [root@i7 dwoodhou]# rpm -q samba-winbind samba-winbind-3.5.4-62.fc13.x86_64
Ok, I need to understand this bug better. Can you attach a debug level 10 log from winbindd showing what is happening ? Jeremy.
Created attachment 5877 [details] Fix for 3.5.x Can you review and test this one please. I'm pretty sure this is the correct fix for this issue. Jeremy.
This passes basic testing both with 'winbind separator = +' and with it left at the default setting. I can start winbindd, log in, and ntlm_auth works. Both tests were done while offline, since this machine has fallen off the VPN in my absence -- but that shouldn't matter, right?
Comment on attachment 5877 [details] Fix for 3.5.x Guenther, once you've reviewed the patch please re-assign to Karolin for inclusion. Thanks ! Jeremy.
Comment on attachment 5877 [details] Fix for 3.5.x looks good
Karolin, can you please add to 3.5 (and if it applies to 3.4 as well) ?
Pushed to v3-5-test. Automatic cherry-pick failed for v3-4-test. Please feel free to re-open if it's an issue in 3.4. Closing out bug report. Thanks!
The behaviour reported by David Woodhouse is reproducible on Ubuntu 10.04 LTS which uses Samba 3.4. It is only possible to make ntlm_auth work with "use default domain = no". Would it be possible to have this backported to 3.4 so that we can use it on Ubuntu 10.04 LTS? Thanks in advance!
today only 3.6 will see more than critical fixes. If you want a feature update for 3.4 Ubuntu packages you might ask Canonical.
Created attachment 6899 [details] Fix for Samba (winbind) 3.4.7 I change 2 lines in the original fix for 3.5.4 version because you had 2 pointers instead one + fstrcpy(state->request.data.auth.user, mapped); + if (!canonicalize_username(state->request.data.auth.user, name_domain, name_user)) {
Please confirm, when you can, if it's ok. Thanks.