Mapping workstation\user to domain\user incorrectly?

Steven Danneman steven.danneman at isilon.com
Fri Sep 21 00:25:47 GMT 2007 

Hello All,

I'm having an authentication problem in Samba 3.0.24 and have some
questions about an implementation decision.

Let me first explain my setup.  I have a Win2K3 domain 2K3D, a Samba
server acting as a domain member, and a Win2K3 client in its own
workgroup.  

W2K3Client ----> Samba Domain Member ----> Win2K3 DC

There exists a domain user "testuser" and on the client machine there
exists a local user with the same name.

On the W2K3Client I am logged in as the local user W2K3Client\testuser
and I attempt to access a share on the Samba server using Windows
Explorer and the UNC path \\SambaDM\share.

Now I expect my default W2K3Client\testuser credentials to be used, fail
against the Samba server because W2K3Client is not recognized as a
trusted domain, and then be prompted for proper credentials by Windows
Explorer. 

What actually happens is Samba realizes it can't recognize the
W2K3Client domain, changes the domain to that which it's a member of
2K3D, then attempts to authenticate against the DC, but fails because
the password is incorrect.  Furthermore the domain has a lockout
password policy after 5 bad attempts, which is met in a single UNC
access attempt.

I've traced this behavior to auth/auth.c:make_user_info_map() which
purposefully converts the domain with the comment:

/* do what win2k does.  Always map unknown domains to our own
   and let the "passdb backend" handle unknown users. */

I've attempted to recreate this myself using a Win2K server in place of
Samba with the same domain and client, but in those cases Win2K does not
change the given domain, but instead realizes that W2K3Client is not a
trusted domain and returns STATUS_TRUSTED_RELATIONSHIP_FAILURE. 

Does anyone know/remember the configuration where a Win2K file server
will act this way?  For the moment this seems like incorrect behavior to
me because of the local user/domain user conflict demonstrated.

Thanks,

Steven Danneman |  Software Developer
Isilon Systems    P +1-206-315-7500    F +1-206-315-7485
www.isilon.com    

How breakthroughs begin.(tm)

More information about the samba-technical mailing list