[Samba] Order of getpwnam call in Get_Pwnam_internals.

hhyy ww hywusmb at gmail.com
Thu Jan 25 13:50:41 UTC 2024 

My system is not only for CIFS/SMB/domain features , sometime I need to
disable DC so I have to keep local user in /etc/passwd.
I have download samba source code and build it. I modify the order of
getpwnam call in source3/lib/username.c then solve the problem.

I have checked the following list :
https://lists.samba.org/archive/samba-technical/2008-March/058508.html
I think this is same problem.

According this commit, I don't know why this commit changed the order of
getpwnam call.
https://git.samba.org/?p=samba.git;a=commitdiff;h=ea4a0d509ef70e91baedc5eebf4f4bcff10dac96

Before this commit, the order is origin -> lowercase -> uppercase.

I point is Why samba change the order to lowercase->origin->uppercase?

HY Wu.
Rowland Penny via samba <samba at lists.samba.org> 於 2024年1月25日 週四 下午9:17寫道:

> On Thu, 25 Jan 2024 20:54:07 +0800
> hhyy ww via samba <samba at lists.samba.org> wrote:
>
> > Rowland Penny via samba <samba at lists.samba.org> 於 2024年1月25日 週四
> > 下午6:42寫道:
> >
> > > On Thu, 25 Jan 2024 18:27:48 +0800
> > > hhyy ww via samba <samba at lists.samba.org> wrote:
> > >
> > > > Hi list,
> > > >
> > > > My case :
> > > > Local UNIX user : ZTEST
> > > > domain : uuq.ork
> > > > domain user : UUQ\ztest
> > > > smb.conf for standalone samba : /home/hywu/smb.conf
> > > >
> > > > [/home/hywu] # cat /home/hywu/smb.conf
> > > > [global]
> > > > passdb backend = smbpasswd
> > > > workgroup = WORKGROUP
> > > > security=user
> > >
> > > Why is the smb.conf file in /home/hywu instead of somewhere like
> > > /etc/samba ?
> > >
> > > >
> > > > Smbpasswd fail to change local UNIX user password (ZTEST) when
> > > > samba role is DC. I want to change password of local UNIX user
> > > > "ZTEST" but get domain user "UUQ\ztest" from
> > >
> > > You shouldn't have local and domain users with the same name.
> > >
> >
> > > >
> > > >
> > > > root at uuu:/# getent passwd | tail
> > > > hywu:x:1000:1000 hywu,,,:/home/hywu:/bin/bash
> > > > sshd:X:128:65534::/run/sshd:/usr/sbin/nologin
> > > > jone:x:1001:1001:,,,:/home/jone:/bin/bash
> > > > ZTEST:X:1002:1002:,,,:/home/ZTEST: /bin/bash
> > > > UUQ\administrator:*:0:100::/home/UUQ/administrator:/bin/false
> > > > UUQ\guest:*:3000008:100::/home/UUQ/guest :/bin/false
> > > > UUQ\krbtgt:*:3000012:100::/home/UUQ/krbtgt:/bin/false
> > > > UUQ\ztest:*:3000013:100::/home/UUQ/ztest:/bin/false
> > >
> > > Go on, I give in, how did you get a domain user into /etc/passwd
> > > (where it doesn't belong).
> > >
> >
> > After samba role become DC ,I add winbind to passwd and group section
> > in /etc/nsswitch.conf
>
> That would not put anything into /etc/passwd, but thinking about it, do
> you have 'winbind enum users = yes' in your correct smb.conf ?
>
> >
> > >
> >
> > > root at uuu:/#
> > > > root at uuu:/#smbpasswd -c /home/hywu/smb.conf -U ZTEST -D 2
> > > > rlimit max:increasing (1024) to minimum Windows limit (16384)
> > > > New SMB password:
> > > > Retype new SMB password:
> > > > Cannot update entry for user UUQ\ztest, as they don't exist in the
> > > > smbpasswd file!
> > > > smbpasswd_update_sam_account: mod_smbfilepud_entry failed!
> > > > Failed to modify entry for user ZTEST.
> > > > root at uuu:/# uname -a
> > > > Linux uuu 6.5.0-14-generic #14~22.04.1-Ubuntu SMP...
> > > >
> > > >
> > > > I checked samba code then I found the problem is order of gerpwnam
> > > > call in Get_Pwnam_internals(). Lowercase first order will get
> > > > domain user (UUQ/ztest) but local account(ZTEST).
> > > >
> > > > local_password_change()
> > > >  pdb_getsampwnam()
> > > >   smbpasswd_getsampwnam()
> > > >     build_sam_account()
> > > >      Get_Pwnam_alloc()
> > > >       Get_Pwnam_internals() <-- turn "ZTEST" to "ztest"
> > > >        getpwnam_alloc_cached()
> > > >         getpwnam()
> > > >          (nss_winbinadd)
> > > >           winbindd_getpwnam_send()
> > > >            parse_domain_user() <-- add "UUQ" to domain and
> > > > namespace. assume_domain()
> > > >
> > > > When samba role is DC , "winbind use default domain" does not
> > > > work in assume_domain(). Then getpwnam() get domain user.
> > > >
> > > > I have checked the following list and commit
> > > >
> > >
> https://lists.samba.org/archive/samba-technical/2008-March/058508.htmlhttps://git.samba.org/?p=samba.git;a=commitdiff;h=ea4a0d509ef70e91baedc5eebf4f4bcff10dac96
> > > >
> > > > Why the order of getpwnam call in Get_Pwnam_internals() change
> > > > from original name first to lowercase first?
> > > >
> > > > HY Wu.
> > >
> > > I think you need to give us more details:
> > > What OS ?
> > >
> > ubuntu 22.04
> >
> > > What version of Samba ?
> > >
> > samba-4.15
> >
> > > Is there another smb.conf file somewhere ?
> > >
> > Before samba role become DC , samba use this smb.conf.
> > [/home/hywu] # cat /home/hywu/smb.conf [global] passdb backend =
> > smbpasswd workgroup = WORKGROUP security=user
> >
> > After samba role become DC, samba use smb.conf generated by samba-tool
> > domain prvision.
> >
> >
> > > If there is, what is in it ?
> > > How did you provision the domain, what was the actual command ?
> > >
> >  samba-tool domain provision --use-rfc2307 --realm=uuq.ork
> > --domain=UUQ --server-role=DC --adminpass=xxxxxx
> > I install samba following there links
> >
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Introduction
> >
> https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Debian/Ubuntu
> >
> > > Rowland
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> >
> > I need to sync account password in  /etc/passwd and smbpasswd so when
> > I change local user password I run smbpasswd command to set the same
> > password. Before samba become DC, "smbpasswd -c /home/hywu/smb.conf
> > -U ZTEST" works well.
> > After samba become DC, this command fail to change password.
> > I check debug log and samba code, I find the order of getpwnam call in
> > Get_Pwnam_internals cause this problem.
> >
> > HY Wu.
>
> You only need local Unix users (the ones that are in /etc/passwd) on a
> Samba AD DC for local administration and as I said earlier, any local
> Unix users are unknown to AD.
>
> If I run getent on one of my DCs, I get thing like this:
>
> adminuser at rpidc1:~ $ getent passwd rowland
> SAMDOM\rowland:*:3000020:100:Rowland Penny:/home/SAMDOM/rowland:/bin/bash
>
> To all intents and purposes, 'rowland' is a local Unix user and can log
> into the DC, but 'rowland' isn't in /etc/passwd:
>
> adminuser at rpidc1:~ $ cat /etc/passwd | grep 'rowland'
> adminuser at rpidc1:~ $
> adminuser at rpidc1:~ $
>
> To change an AD users password, you can use samba-tool, see:
>
> samba-tool user password --help
>
> Or:
>
> samba-tool user setpassword --help
>
> I would remove any users from /etc/passwd that are also created in your
> AD DC
>
> I will now go and close your bug report, it is invalid.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list