Mapping workstation\user to domain\user incorrectly?
steven.danneman at isilon.com
Fri Sep 21 00:25:47 GMT 2007
I'm having an authentication problem in Samba 3.0.24 and have some
questions about an implementation decision.
Let me first explain my setup. I have a Win2K3 domain 2K3D, a Samba
server acting as a domain member, and a Win2K3 client in its own
W2K3Client ----> Samba Domain Member ----> Win2K3 DC
There exists a domain user "testuser" and on the client machine there
exists a local user with the same name.
On the W2K3Client I am logged in as the local user W2K3Client\testuser
and I attempt to access a share on the Samba server using Windows
Explorer and the UNC path \\SambaDM\share.
Now I expect my default W2K3Client\testuser credentials to be used, fail
against the Samba server because W2K3Client is not recognized as a
trusted domain, and then be prompted for proper credentials by Windows
What actually happens is Samba realizes it can't recognize the
W2K3Client domain, changes the domain to that which it's a member of
2K3D, then attempts to authenticate against the DC, but fails because
the password is incorrect. Furthermore the domain has a lockout
password policy after 5 bad attempts, which is met in a single UNC
I've traced this behavior to auth/auth.c:make_user_info_map() which
purposefully converts the domain with the comment:
/* do what win2k does. Always map unknown domains to our own
and let the "passdb backend" handle unknown users. */
I've attempted to recreate this myself using a Win2K server in place of
Samba with the same domain and client, but in those cases Win2K does not
change the given domain, but instead realizes that W2K3Client is not a
trusted domain and returns STATUS_TRUSTED_RELATIONSHIP_FAILURE.
Does anyone know/remember the configuration where a Win2K file server
will act this way? For the moment this seems like incorrect behavior to
me because of the local user/domain user conflict demonstrated.
Steven Danneman | Software Developer
Isilon Systems P +1-206-315-7500 F +1-206-315-7485
How breakthroughs begin.(tm)
More information about the samba-technical