Prepending "\" to user name w/Win98 Domain Login

Jeff Mandel jeff.mandel at probes.com
Fri Aug 16 06:23:01 GMT 2002 

I posted previously about samba prepending a "\" to the user name before 
lookup. Logins fail when "\user" is looked up instead of "user." I think 
there's a small bug in the username validation that reply.c makes. The 
problem is most evident when NIS is in use.

 reply.c 922-930
    /* Work out who's who */

    slprintf(dom_user, sizeof(dom_user) - 1,"%s%s%s",
               dos_to_unix_static(domain), lp_winbind_separator(), user);

    if (sys_getpwnam(dom_user) != NULL) {
      pstrcpy(user, dom_user);
      DEBUG(3,("Using unix username %s\n", dom_user));
    }

This call supposedly validates the <domain>\<user> string.
On Solaris, with NIS a win98 box tries to connect to a samba PDC. 
There's no domain name passed by the win98 client, but the setup for the 
string is <domain><winbindseparator><user>.

There's no domain - the string is now <><\><user>
1) If there's no domain, why would a winbind separator do something useful?

2) The wacky thing here is that \user actually returns successful with NIS.
jeff at host% getent passwd jeff
jeff:x:6789:6789::/export/home/jeff:/bin/ksh
jeff at host% getent passwd \jeff
jeff:x:6789:6789::/export/home/jeff:/bin/ksh

3) The valadation doesn't really validate in this case since the value 
used is not what the sytem returned: \jeff != jeff, but the check in 
reply.c is only for != NULL. When this gets looked up the the samba 
password db, failure is certain. There's no \jeff in the samba password 
database.
  sesssetupX:name=[JEFF]
[2002/08/11 12:21:44, 3] smbd/reply.c:reply_sesssetup_and_X(929)
  Using unix username \JEFF
[2002/08/11 12:21:44, 2] smbd/reply.c:reply_sesssetup_and_X(982)
  Defaulting to Lanman password for \jeff
[2002/08/11 12:21:44, 1] smbd/password.c:pass_check_smb(545)
  Couldn't find user '\jeff' in passdb.
[2002/08/11 12:21:44, 1] smbd/reply.c:reply_sesssetup_and_X(998)
  Rejecting user '\jeff': authentication failed

The end result of this situation is that users from win98 can not log in.
Changing if (sys_getpwnam(dom_user) != NULL) to
if (sys_getpwnam(dom_user) != NULL && strlen(domain) > 0 )
allows win98 to authenticate successfully, but doesn't really address 
the validation problem.

4) When the client is win2k which passes a domain in, this code is 
called to lookup getpwnam(<domain><sep><user>). Without some special 
module, when would a unix system ever return a positive response to this 
kind of lookup?

Compiling --without-winbind I see a failed lookup in the ldap logs for 
filter="(&(objectclass=posixAccount)(uid=MP\\JEFF))" every time someone 
logs in. This section adds overhead with extra lookups that are sure to 
fail. Should it be relocated to a different section so that it's only 
called when winbind is actually in use?

Thanks,

Jeff

More information about the samba-technical mailing list