Oops in domain_namemap.c:lookupsmbpwntnam

Andrej Borsenkow borsenkow.msk at sni.de
Tue Dec 1 11:52:53 GMT 1998 


> -----Original Message-----
> From: samba-technical at samba.org [mailto:samba-technical at samba.org]On
> Behalf Of Tim Potter
> Sent: Tuesday, December 01, 1998 7:42 AM
> To: Multiple recipients of list
> Subject: Oops in domain_namemap.c:lookupsmbpwntnam
>
>
> I'm trying to get my vfs code working with the latest update of the HEAD
> branch, and for some reason I can't even connect to the smb server!  It
> turns out that the lookupsmbpwntnam() function is falling right through to
> the end where there the comment "oops".  (-:
>

Same here ... sigh - it is totally broken. It always does NT->Unix map (even
if security != domain); it does not provide for guest user; and (probably)
the mapping is done in wrong place ...

Let me guess

 1. samba is PDC
     we need domain\user -> unixuser mapping to get a user to check password
with;
     it is absolute must that this mapping does exist except for guest
logons.

 2. samba as member of domain with security = domain
     there is *no* need to map domain\user -> unixuser *before* password was
verified
     (it won't harm, but it is _not_ an error, if such mapping does not
exist)

     if user was verified with PDC,  it must be mapped to Unix user. Till
now it was *not* an error,
     if no mapping existed - user would run as guest. In any case, calling
Get_Pwnam() at this
     point is wrong - it does not take domain into account. Either user is
mapped by
     domain user map or user is given guest

     if PDC verification failed, user should be checked with local pwdb and
assumed to be
     local user. I understand, it is what NT does. this automatically
implies, that user has valid
     Unix account. If this verification failes, user may be connected as
guest as was the case.

In both cases, ther is no need for current map_username. It primarily the
means to map external windows users to Unix ones for password check to work.
I would be very surprised, if anybody remapped *Unix* users in this way (as
implied by current comments). In case of domain, it is completely obsoleted
by domain user map.

/andrej

More information about the samba-technical mailing list