known BUG "multi-byte character set in usernames"

Juergen Hasch Hasch at t-online.de
Thu May 30 07:54:01 GMT 2002 

Hi Guenther,

Am Donnerstag, 30. Mai 2002 16:17 schrieb Guenther Deschner:
> hello,
>
> smb.conf-manpage of 2.2.5pre and HEAD states the bug of "multi-byte
> character sets in usernames":
>
> -----8<------------------snip--------------8<--------------
> BUG: There is currently a bug  in  the  implementation  of
>        security = domain with respect to multi-byte character set
>        usernames. The communication with a Domain Controller must
>        be  done  in  UNICODE  and  Samba currently does not widen
>        multi-byte user names to UNICODE correctly, thus a  multi-
>        byte  username  will  not  be  recognized correctly at the
>        Domain Controller. This  issue  will  be  addressed  in  a
>        future release.
> ----->8------------------snap-------------->8--------------
>
> will this bug be solved in the near future? in 2.2.5 or HEAD?
>
> the main problem with this is that you get crippled wellknown
> domain-groups with winbind (on suse linux 8, kernel 2.4.18, samba-2_2)
> and german NT-servers where rid200 (Domain Admins) is Domänen-Admins,
> and rid202 is Domänen-Gäste.
>
> now wbinfo -g cuts out the UTF8 chars and will show you e.g.
> DOMAIN+Domnen-Admins, DOMAIN+Domnen-Gste, etc.
>
> now you cannot set XFS-ACLs properly since neither DOMAIN+Domnen-Admins
> nor DOMAIN+Domänen-Admins does resolve back ...
>
> a simple (and ugly) workaround is to create the three domain-groups in
> question in /etc/group. with that you still have to keep an eye on the
> correct winbind-gid mapping and rid200 appears crippled in security tab.
>
> is there any other workaround for this?

I believe this is a different problem. There is just no conversion of group 
and user names to the desired character set.
With the patch below applied I get:
hasch at tower:~> getent group
...
DOMAIN\Domänen-Admins:x:10003:DOMAIN\Administrator,DOMAIN\testadmin
DOMAIN\Domänen-Gäste:x:10004:DOMAIN\Gast 
DOMAIN\Domänencomputer:x:10005:
DOMAIN\Domänencontroller:x:10006:
...

Now the correct usernames and groups are shown. I only added a few 
conversions, the correct approach would be to check all
unistr2_to_ascii calls and add dos_to_unix where neccessary.

I will generate a complete patch if the Samba team thinks it's worth
considering and I am not completely on the wrong track :-)

...Juergen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winbind_charset.patch
Type: text/x-diff
Size: 2938 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020530/e0172478/winbind_charset.bin

More information about the samba-technical mailing list