Prepending "\" to user name w/Win98 Domain Login
Jeff Mandel
jeff.mandel at probes.com
Fri Aug 16 06:23:01 GMT 2002
I posted previously about samba prepending a "\" to the user name before
lookup. Logins fail when "\user" is looked up instead of "user." I think
there's a small bug in the username validation that reply.c makes. The
problem is most evident when NIS is in use.
reply.c 922-930
/* Work out who's who */
slprintf(dom_user, sizeof(dom_user) - 1,"%s%s%s",
dos_to_unix_static(domain), lp_winbind_separator(), user);
if (sys_getpwnam(dom_user) != NULL) {
pstrcpy(user, dom_user);
DEBUG(3,("Using unix username %s\n", dom_user));
}
This call supposedly validates the <domain>\<user> string.
On Solaris, with NIS a win98 box tries to connect to a samba PDC.
There's no domain name passed by the win98 client, but the setup for the
string is <domain><winbindseparator><user>.
There's no domain - the string is now <><\><user>
1) If there's no domain, why would a winbind separator do something useful?
2) The wacky thing here is that \user actually returns successful with NIS.
jeff at host% getent passwd jeff
jeff:x:6789:6789::/export/home/jeff:/bin/ksh
jeff at host% getent passwd \jeff
jeff:x:6789:6789::/export/home/jeff:/bin/ksh
3) The valadation doesn't really validate in this case since the value
used is not what the sytem returned: \jeff != jeff, but the check in
reply.c is only for != NULL. When this gets looked up the the samba
password db, failure is certain. There's no \jeff in the samba password
database.
sesssetupX:name=[JEFF]
[2002/08/11 12:21:44, 3] smbd/reply.c:reply_sesssetup_and_X(929)
Using unix username \JEFF
[2002/08/11 12:21:44, 2] smbd/reply.c:reply_sesssetup_and_X(982)
Defaulting to Lanman password for \jeff
[2002/08/11 12:21:44, 1] smbd/password.c:pass_check_smb(545)
Couldn't find user '\jeff' in passdb.
[2002/08/11 12:21:44, 1] smbd/reply.c:reply_sesssetup_and_X(998)
Rejecting user '\jeff': authentication failed
The end result of this situation is that users from win98 can not log in.
Changing if (sys_getpwnam(dom_user) != NULL) to
if (sys_getpwnam(dom_user) != NULL && strlen(domain) > 0 )
allows win98 to authenticate successfully, but doesn't really address
the validation problem.
4) When the client is win2k which passes a domain in, this code is
called to lookup getpwnam(<domain><sep><user>). Without some special
module, when would a unix system ever return a positive response to this
kind of lookup?
Compiling --without-winbind I see a failed lookup in the ldap logs for
filter="(&(objectclass=posixAccount)(uid=MP\\JEFF))" every time someone
logs in. This section adds overhead with extra lookups that are sure to
fail. Should it be relocated to a different section so that it's only
called when winbind is actually in use?
Thanks,
Jeff
More information about the samba-technical
mailing list