[Samba] Order of getpwnam call in Get_Pwnam_internals.

Rowland Penny rpenny at samba.org
Thu Jan 25 10:41:19 UTC 2024 

On Thu, 25 Jan 2024 18:27:48 +0800
hhyy ww via samba <samba at lists.samba.org> wrote:

> Hi list,
> 
> My case :
> Local UNIX user : ZTEST
> domain : uuq.ork
> domain user : UUQ\ztest
> smb.conf for standalone samba : /home/hywu/smb.conf
> 
> [/home/hywu] # cat /home/hywu/smb.conf
> [global]
> passdb backend = smbpasswd
> workgroup = WORKGROUP
> security=user

Why is the smb.conf file in /home/hywu instead of somewhere like
/etc/samba ?

> 
> Smbpasswd fail to change local UNIX user password (ZTEST) when samba
> role is DC. I want to change password of local UNIX user "ZTEST" but
> get domain user "UUQ\ztest" from

You shouldn't have local and domain users with the same name.

> 
> 
> root at uuu:/# getent passwd | tail
> hywu:x:1000:1000 hywu,,,:/home/hywu:/bin/bash
> sshd:X:128:65534::/run/sshd:/usr/sbin/nologin
> jone:x:1001:1001:,,,:/home/jone:/bin/bash
> ZTEST:X:1002:1002:,,,:/home/ZTEST: /bin/bash
> UUQ\administrator:*:0:100::/home/UUQ/administrator:/bin/false
> UUQ\guest:*:3000008:100::/home/UUQ/guest :/bin/false
> UUQ\krbtgt:*:3000012:100::/home/UUQ/krbtgt:/bin/false
> UUQ\ztest:*:3000013:100::/home/UUQ/ztest:/bin/false

Go on, I give in, how did you get a domain user into /etc/passwd (where
it doesn't belong).

> root at uuu:/#
> root at uuu:/#smbpasswd -c /home/hywu/smb.conf -U ZTEST -D 2
> rlimit max:increasing (1024) to minimum Windows limit (16384)
> New SMB password:
> Retype new SMB password:
> Cannot update entry for user UUQ\ztest, as they don't exist in the
> smbpasswd file!
> smbpasswd_update_sam_account: mod_smbfilepud_entry failed!
> Failed to modify entry for user ZTEST.
> root at uuu:/# uname -a
> Linux uuu 6.5.0-14-generic #14~22.04.1-Ubuntu SMP...
> 
> 
> I checked samba code then I found the problem is order of gerpwnam
> call in Get_Pwnam_internals(). Lowercase first order will get domain
> user (UUQ/ztest) but local account(ZTEST).
> 
> local_password_change()
>  pdb_getsampwnam()
>   smbpasswd_getsampwnam()
>     build_sam_account()
>      Get_Pwnam_alloc()
>       Get_Pwnam_internals() <-- turn "ZTEST" to "ztest"
>        getpwnam_alloc_cached()
>         getpwnam()
>          (nss_winbinadd)
>           winbindd_getpwnam_send()
>            parse_domain_user() <-- add "UUQ" to domain and namespace.
>             assume_domain()
> 
> When samba role is DC , "winbind use default domain" does not work in
> assume_domain(). Then getpwnam() get domain user.
> 
> I have checked the following list and commit
> https://lists.samba.org/archive/samba-technical/2008-March/058508.htmlhttps://git.samba.org/?p=samba.git;a=commitdiff;h=ea4a0d509ef70e91baedc5eebf4f4bcff10dac96
> 
> Why the order of getpwnam call in Get_Pwnam_internals() change from
> original name first to lowercase first?
> 
> HY Wu.

I think you need to give us more details:
What OS ?
What version of Samba ?
Is there another smb.conf file somewhere ?
If there is, what is in it ?
How did you provision the domain, what was the actual command ?

Rowland

More information about the samba mailing list