Bug 8881 - username map not working in security=ADS
Summary: username map not working in security=ADS
Status: RESOLVED DUPLICATE of bug 9139
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.6.4
Hardware: All All
: P5 major
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-19 08:34 UTC by maurer
Modified: 2013-04-10 08:20 UTC (History)
7 users (show)

See Also:


Attachments
level 10 debug (822.64 KB, application/x-gzip)
2012-05-02 12:38 UTC, maurer
no flags Details
debug 10 with comments (737.83 KB, application/octet-stream)
2012-08-23 10:40 UTC, maurer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description maurer 2012-04-19 08:34:15 UTC
after an upgrade form 3.5.13 to 3.6.4 of an AD Memeber Server
(security=ADS) username map

does not work any more.

We use

idmap config * : backend = tdb
idmap config * : range = 1000001-1999999

idmap config DLR : backend = nss
idmap config DLR : readonly = yes
idmap config DLR : range = 1000-100000

because the AD Users ara available to the linux system using vintela
authentification services (VAS)

With 3.5.13
root = DLR\maurerh
allows DLR\maurerh to modify printer setting or create files as root

With 3.6.4
samba still logs

[2012/04/18 11:29:23.206003, 3] auth/user_util.c:402(map_username)
Mapped user DLR\maurerh to root

but the printer settings are greyed out and files are created as maurerh
instead as root.


One more difference is, that with 3.5.13
ist was possible to use

root = DLR\maurerh-ad

where maurerh-ad is a windows only administrative account without unix
attributes
An sccess to the samba server was mapped to root

With 3.6.4

Samba logs

Kerberos ticket principal name is [username-adm@INTRA.DLR.DE]
[2012/04/12 13:33:35.920072, 3] auth/user_util.c:402(map_username)
Mapped user DLR\maurerh-ad to root

Failed to find authenticated user DLR\maurerh-ad via getpwnam(), denying
access.

[2012/04/18 11:29:23.205474, 3] libads/authdata.c:332(decode_pac_data)
Found account name from PAC: maurerh [Maurer, Hansjörg]
[2012/04/18 11:29:23.205766, 3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [maurerh@INTRA.DLR.DE]
[2012/04/18 11:29:23.206003, 3] auth/user_util.c:402(map_username)
Mapped user DLR\maurerh to root
[2012/04/18 11:29:23.310976, 3]
passdb/lookup_sid.c:1737(get_primary_group_sid)
Forcing Primary Group to 'Domain Users' for maurerh

==> log.winbindd <==
[2012/04/18 11:29:23.311849, 3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
[ 6364]: request interface version
[2012/04/18 11:29:23.312147, 3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[ 6364]: request location of privileged pipe
[2012/04/18 11:29:23.312796, 3]
winbindd/winbindd_lookupname.c:69(winbindd_lookupname_send)
lookupname Unix User\maurerh

==> log.wb-RM-SAMBA01-TEST <==
[2012/04/18 11:29:23.313137, 3]
winbindd/winbindd_samr.c:622(sam_name_to_sid)
sam_name_to_sid
[2012/04/18 11:29:23.313435, 3]
winbindd/winbindd_rpc.c:303(rpc_name_to_sid)
name_to_sid: UNIX USER\MAURERH for domain UNIX USER
[2012/04/18 11:29:23.319738, 3]
rpc_server/rpc_handles.c:281(close_policy_hnd)
Closed policy

==> log.129.247.189.133 <==
[2012/04/18 11:29:23.371065, 3] smbd/password.c:297(register_existing_vuid)
register_existing_vuid: User name: maurerh Real name: Maurer, Hansjörg
[2012/04/18 11:29:23.371289, 3] smbd/password.c:307(register_existing_vuid)
register_existing_vuid: UNIX uid 7740 is UNIX user maurerh, and will be
vuid 101
[2012/04/18 11:29:23.371704, 1] smbd/session.c:86(session_claim)
Comment 1 maurer 2012-05-02 12:38:46 UTC
Created attachment 7513 [details]
level 10 debug

user maurerh connects to server, mapped to root but directory test5 created aus maurerh
Comment 2 Thomas Beinicke 2012-05-08 23:18:03 UTC
I am not sure if I am experiencing the same bug but it related to the mapping. Maybe you can try if yours is the same bug.

When I have a unix user "foo" and a domain user called "DOMAIN+foo" the login (via IP and DNS name) works and no mapping is required.

If I have a unix user "foobar" and a domain user "DOMAIN+bar" with a mapping file containing "foobar = DOMAIN+bar" it doesn't work via DNS name and I get a password prompt.

If I use the IP address of the server to access the share the mapping *does* work.

I am running samba 3.6.5
Comment 3 maurer 2012-05-09 06:57:18 UTC
I can confirm your description for both of my problems.

If I connect to the Server using  \\IP-Number instead of \\HOSTNAME
the usermapping itself works and users not available to the Unix Systems are mapped too

Thank you very much
Comment 4 Cory Zito 2012-07-05 14:49:10 UTC
I've hit this bug in 3.6.5 and in 3.6.6.  I'm experiencing it in our production AD environment on both Solaris and Linux platforms.

Some additional information I haven't seen discussed yet:  

smbclient from 3.5.x/3.6.x to 3.6.x using the usermap aliased login works with no issues.  

Win7 to 3.6.x requires using the ipaddr as previously discussed.

Is there anything I can do to help resolve this issue?
Comment 5 Cory Zito 2012-08-20 21:17:49 UTC
3.6.7 same issue.  Anybody working on this?  I'm happy to test code changes.
Comment 6 Jura Sasek 2012-08-21 08:47:52 UTC
(In reply to comment #3)
> If I connect to the Server using  \\IP-Number instead of \\HOSTNAME
> the usermapping itself works and users not available to the Unix Systems are
> mapped too

...it also works for me:

Create DNS alias for Samba server. i.e. by command:
DnsCmd /RecordAdd smbsetup.czech.sun.com ldom10 CNAME t4-ldom10.smbsetup.czech.sun.com.
...on DC. Where t4-ldom10 is DNS A-record

Then on win client you can use:
E:\Documents and Settings\jura.SMBSETUP>net view \\ldom10
Shared resources at \\ldom10

Samba 3. tdb

Share name  Type  Used as  Comment

-------------------------------------------------------------------------------
homes       Disk
jura        Disk           Home directory of SMBSETUP\jura
public      Disk           Public data directory
The command completed successfully.


E:\Documents and Settings\jura.SMBSETUP>net use p: \\ldom10\public
The command completed successfully.
Comment 7 Jura Sasek 2012-08-21 09:00:50 UTC
I have the same issue on Solaris 10 (Solaris 11 seems to works fine). I my case the cause is in wrong timestamps in Kerberos keytab. "workaround" over the IP or DNS alias [CNAME record] is available because the client authentication is failing-back to LMHOST auth. (instead of Kerberos auth.) in such case.

Problem can be observed cleanly when:
 - keytab is created -> set smb.conf option:

   kerberos method = system keytab
 ...then "net ads join" domain. Keytab is created on standard system location. Looking on this keytab:

-bash-3.2# ktutil
ktutil:  rkt /etc/krb5/krb5.keytab
ktutil:  l -t
slot KVNO Timestamp         Principal
---- ---- ----------------- ---------------------------------------------------
   1    2 01/01/70 01:00:00 host/t4-ldom10.smbsetup.czech.sun.com@SMBSETUP.CZECH.SUN.COM
   2    2 01/01/70 01:00:00 host/t4-ldom10.smbsetup.czech.sun.com@SMBSETUP.CZECH.SUN.COM
   3    2 01/01/70 01:00:00 host/t4-ldom10.smbsetup.czech.sun.com@SMBSETUP.CZECH.SUN.COM
   4    2 01/01/70 01:00:00    host/t4-ldom10@SMBSETUP.CZECH.SUN.COM
   5    2 01/01/70 01:00:00    host/t4-ldom10@SMBSETUP.CZECH.SUN.COM
   6    2 01/01/70 01:00:00    host/t4-ldom10@SMBSETUP.CZECH.SUN.COM
   7    2 01/01/70 01:00:00        T4-LDOM10$@SMBSETUP.CZECH.SUN.COM
   8    2 01/01/70 01:00:00        T4-LDOM10$@SMBSETUP.CZECH.SUN.COM
   9    2 01/01/70 01:00:00        T4-LDOM10$@SMBSETUP.CZECH.SUN.COM
ktutil:

...can be seen the time-stamps are "zeroed".

So each attempt on SMB-session auth. you can see in (session) log[.%h]

[2012/08/21 01:28:13.789620, 10] libads/kerberos_verify.c:248(ads_keytab_verify_ticket)
  libads/kerberos_verify.c:245: krb5_rd_req_return_keyblock_from_keytab(host/t4-ldom10.smbsetup.czech.sun.com@SMBSETUP.CZECH.SUN.COM) failed: Wrong principal in request
...for each slot in keytab.
Comment 8 maurer 2012-08-23 10:40:16 UTC
Created attachment 7815 [details]
debug 10 with comments
Comment 9 maurer 2012-08-23 10:45:29 UTC
Hi

some parts of the debug 10 with comments
DLR\maurerh-ad ist mapped to root

2012/08/23 12:30:23.047563,  3] libads/authdata.c:332(decode_pac_data)
  Found account name from PAC: maurerh-ad [maurerh-ad]


[2012/08/23 12:30:23.073169,  3] auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [maurerh-ad@INTRA.DLR.DE]
[2012/08/23 12:30:23.073200, 10] auth/user_krb5.c:82(get_user_from_kerberos_info)
  Domain is [DLR] (using PAC)
[2012/08/23 12:30:23.073230,  4] auth/user_util.c:361(map_username)
  Scanning username map /etc/samba/smbusers


[2012/08/23 12:30:23.073347,  3] auth/user_util.c:402(map_username)
  Mapped user DLR\maurerh-ad to root


[2012/08/23 12:30:23.073475,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is root
[2012/08/23 12:30:23.073497,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [root]!


[2012/08/23 12:30:23.089734,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user DLR\maurerh-ad
[2012/08/23 12:30:23.089755,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is dlr\maurerh-ad
[2012/08/23 12:30:23.090404,  5] lib/username.c:124(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is DLR\maurerh-ad
[2012/08/23 12:30:23.090471,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is DLR\MAURERH-AD
[2012/08/23 12:30:23.090520,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in dlr\maurerh-ad
[2012/08/23 12:30:23.090542,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [DLR\maurerh-ad]!
[2012/08/23 12:30:23.090563,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user maurerh-ad
[2012/08/23 12:30:23.090583,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is maurerh-ad
[2012/08/23 12:30:23.099227,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is MAURERH-AD
[2012/08/23 12:30:23.099830,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in maurerh-ad
[2012/08/23 12:30:23.099863,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [maurerh-ad]!
[2012/08/23 12:30:23.100074,  3] auth/auth_util.c:1121(check_account)
  Failed to find authenticated user DLR\maurerh-ad via getpwnam(), denying access.
[2012/08/23 12:30:23.100125,  1] auth/user_krb5.c:211(make_server_info_krb5)
  make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
[2012/08/23 12:30:23.100161,  1] smbd/sesssetup.c:379(reply_spnego_kerberos)
  make_server_info_krb5 failed!
[2012/08/23 12:30:23.100204,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(383) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/08/23 12:30:23.100232,  5] lib/util.c:332(show_msg)
[2012/08/23 12:30:23.100245,  5] lib/util.c:342(show_msg)


Why is this last sequenze called, which seems to be the reason for the failure?
maurerh-ad is mapped to root and not available on the Linux System?
In 3.5.* this works.
Comment 10 Nitin Thakur 2012-10-16 14:21:35 UTC
Hi All

I can verify this is a bug. I have two instances of samba on same machine using their config files. Both the instances have joined different domain. My server name is tst-uat and tst-dev. tst-uat joins uat domain and tst-dev joins dev domain. When I use workstation on Dev domain and I try to access tst-dev samba server by name it does not work, but when I access samba share on tst-uat which is in UAT domain, it prompts me for password and it works fine. Likewise, when I use workstation on UAT domain and try to access tst-uat samba share by name it does not work, but when I access samba share on tst-dev samba server, it prompts me for password and works fine.

If I use IP addresses it works all the time no matter what environment I am working it. 

Another important thing is that it works for all the users who have same Unix and Windows user name. If unix id and windows id do not match, this bug triggers. 

These are the error messages that I get: -
  Found account name from PAC: xyz 
[2012/10/16 10:16:29.686138,  3] auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [xyz@XXX.COM]
[2012/10/16 10:16:29.686203,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user XXX\xyz
[2012/10/16 10:16:29.686236,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is xxx\xyz
[2012/10/16 10:16:29.687019,  5] lib/username.c:124(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is XXX\xyz
[2012/10/16 10:16:29.687655,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is XXX\XYZ
[2012/10/16 10:16:29.688269,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in xxx\xyz
[2012/10/16 10:16:29.688305,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [XXX\xyz]!
[2012/10/16 10:16:29.688335,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user xyz
[2012/10/16 10:16:29.688363,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is xyz
[2012/10/16 10:16:29.689009,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is XYZ
[2012/10/16 10:16:29.689633,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in xyz
[2012/10/16 10:16:29.689668,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [xyz]!
[2012/10/16 10:16:29.689723,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user xyz
[2012/10/16 10:16:29.689753,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is xyz
[2012/10/16 10:16:29.690381,  5] lib/username.c:134(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is XYZ
[2012/10/16 10:16:29.691004,  5] lib/username.c:143(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in xyz
[2012/10/16 10:16:29.691039,  5] lib/username.c:149(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [xyz]!
[2012/10/16 10:16:29.691068,  1] auth/user_krb5.c:162(get_user_from_kerberos_info)
  Username XXX\xyz is invalid on this system
[2012/10/16 10:16:29.691130,  3] smbd/error.c:81(error_packet_set)


I am using Kerberos 5-1.10.3, Openldap-2.4.32 and Samba-3.6.7 with AD Security.
Comment 11 Nitin Thakur 2012-10-16 14:49:13 UTC
Forgot to mention, using CNAME record also dosnt help.
Comment 12 Thomas Beinicke 2013-01-02 13:07:16 UTC
I am still having this problem in version 3.6.9.

Is there any further information needed to fix/debug this problem?

Using the IP to connect to the server really isn't an optimal solution.
Comment 13 Andreas Schneider 2013-04-10 08:20:53 UTC

*** This bug has been marked as a duplicate of bug 9139 ***