Bug 7589 - ntlm_auth fails to use cached credentials
Summary: ntlm_auth fails to use cached credentials
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.5.4
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2010-07-27 03:30 UTC by David Woodhouse
Modified: 2011-09-17 05:17 UTC (History)
2 users (show)

See Also:

Fix for 3.5.x (2.33 KB, patch)
2010-07-29 15:47 UTC, Jeremy Allison
gd: review+
Fix for Samba (winbind) 3.4.7 (1.33 KB, patch)
2011-09-16 19:57 UTC, Susana Pereira
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description David Woodhouse 2010-07-27 03:30:51 UTC
When I log on as user 'dwoodhou' in the default domain (GER), cached credentials are added with the key 'dwoodhou'.

When I then try to use ntlm_auth, it asks me for my password because it tries looking for cached credentials with the key 'GER\dwoodhou', and finds no match.
(btw, should that be a hard-coded '\\'? The separator is configurable, isn't it?)

This patch "fixes" it and perhaps highlights the problem more coherently than the above prose, but I'm not sure what this patch also breaks -- I assume this was conditional for a reason.

--- source3/winbindd/winbindd_pam.c~ 2010-06-18 13:01:04.000000000 +0100
+++ source3/winbindd/winbindd_pam.c 2010-07-26 12:11:23.657507372 +0100
@@ -1489,7 +1489,7 @@ enum winbindd_result winbindd_dual_pam_a

  parse_domain_user(mapped_user, name_domain, name_user);

- if ( mapped_user != state->request->data.auth.user ) {
+ if ( 1 || mapped_user != state->request->data.auth.user ) {
   fstr_sprintf( domain_user, "%s\\%s", name_domain, name_user );
   safe_strcpy( state->request->data.auth.user, domain_user,
         sizeof(state->request->data.auth.user)-1 );

[root@i7 dwoodhou]# grep '^[^#;]' /etc/security/pam_winbind.conf 
debug = yes
debug_state = yes
cached_login = yes
krb5_auth = yes
krb5_ccache_type = FILE
mkhomedir = yes
[root@i7 dwoodhou]# grep winbind /etc/samba/smb.conf 
 winbind offline logon = true
 winbind refresh tickets = true
#   winbind separator = +
#   winbind uid = 10000-20000
#   winbind gid = 10000-20000
   winbind cache time = 15000
#   winbind enum users = yes
#   winbind enum groups = yes
   winbind use default domain = yes
[root@i7 dwoodhou]# rpm -q samba-winbind
Comment 1 Jeremy Allison 2010-07-29 07:31:20 UTC
Ok, I need to understand this bug better. Can you attach a debug level 10 log from winbindd showing what is happening ?
Comment 2 Jeremy Allison 2010-07-29 15:47:26 UTC
Created attachment 5877 [details]
Fix for 3.5.x

Can you review and test this one please. I'm pretty sure this is the correct fix for this issue.
Comment 3 David Woodhouse 2010-07-29 17:25:54 UTC
This passes basic testing both with 'winbind separator = +' and with it left at the default setting. I can start winbindd, log in, and ntlm_auth works.

Both tests were done while offline, since this machine has fallen off the VPN in my absence -- but that shouldn't matter, right?
Comment 4 Jeremy Allison 2010-07-30 02:30:17 UTC
Comment on attachment 5877 [details]
Fix for 3.5.x

Guenther, once you've reviewed the patch please re-assign to Karolin for inclusion.

Thanks !

Comment 5 Guenther Deschner 2010-08-19 05:42:49 UTC
Comment on attachment 5877 [details]
Fix for 3.5.x

looks good
Comment 6 Guenther Deschner 2010-08-19 05:43:32 UTC
Karolin, can you please add to 3.5 (and if it applies to 3.4 as well) ?
Comment 7 Karolin Seeger 2010-08-23 04:25:35 UTC
Pushed to v3-5-test.
Automatic cherry-pick failed for v3-4-test.
Please feel free to re-open if it's an issue in 3.4.

Closing out bug report.

Comment 8 ghomem 2011-08-17 19:58:03 UTC
The behaviour reported by David Woodhouse is reproducible on Ubuntu 10.04 LTS which uses Samba 3.4. It is only possible to make ntlm_auth work with "use default domain = no".

Would it be possible to have this backported to 3.4 so that we can use it on Ubuntu 10.04 LTS?

Thanks in advance!
Comment 9 Björn Jacke 2011-08-18 08:24:17 UTC
today only 3.6 will see more than critical fixes. If you want a feature update for 3.4 Ubuntu packages you might ask Canonical.
Comment 10 Susana Pereira 2011-09-16 19:57:20 UTC
Created attachment 6899 [details]
Fix for Samba (winbind) 3.4.7

I change 2 lines in the original fix for 3.5.4 version because you had 2 pointers instead one

+		fstrcpy(state->request.data.auth.user, mapped);

+	if (!canonicalize_username(state->request.data.auth.user, name_domain, name_user)) {
Comment 11 Susana Pereira 2011-09-16 20:01:06 UTC
Please confirm, when you can, if it's ok.