The bloomin' Irish

Andrew Bartlett abartlet at pcug.org.au
Thu Dec 6 00:59:38 GMT 2001


"Lightfoot.Michael" wrote:
> 
> Let me first apologise for asking on two lists, but this problem is (of
> course) urgent because prior to this afternoon I was unaware of the problem
> and it has been affecting production users for two days despite me having
> warned everyone that they should be looking out for possible Samba problems!
> 
> I have just upgraded most of our samba servers from 1.9.18 (various patch
> levels) to 2.2.2 on Solaris 8 and Solaris 2.6.  This was forced by an
> upgrade of the Windoze password server from NT4 to Win2K.  Patch levels of
> 1.9.18 prior to (about) 10 would not work with the new server.  Patch level
> 10 does, luckily and remains on a system about to be retired.
> 
> We now have another problem.  Our users.map file contains a few Irish
> characters with apostrophes in their NT login names (e.g. O'Nerk.Fred) which
> are all of the format lastname.firstname.
> 
> When these users now try to attach to a share the name get mangled by samba,
> changing the apostrophe to an underscore (ie o_nerk.fred) as well as the
> ussual case mangling and this results in a login failure.  On the 1.9.18p10
> system no such mangling occurs.

The lowercasing is becouse the name didn't map, so it got caught up in
the normal samba 'attempt to find matching unix user' process...

> I have searched archives of both lists and found only one entry about 18
> months ago where someone asked if this would work.  I have also searched
> most of the docos and not found a solution.

Unfortunetly the only reference is an obscure line in the WHATSNEW.TXT
and the cvs commit message.  None of which would have attracted your
attention...
 
> Does anyone on the lists have the (probably bleeding obvious) answer?
> Relevant smb.conf entries (this file wasn't changed between versions and
> passes testparm on 2.2.2 except mysteriously for "share modes".)
> 
>   workgroup = COMCARE
>   security = server
>   password server = act-primary
>   encrypt passwords = yes
>   wins server = act-secondary
>   username map = /usr/local/samba/lib/users.map
>   domain master = no
>   local master = no
> 
> Michael Lightfoot
> SysIX Unix Systems Consulting
> 02 6258 8185
> michael.lightfoot at canb.auug.org.au

It looks like you have hit some Samba parinoia on user-supplied inputs.

The following snippit in reply.c:sesssetup_and_X() caused your problem:

  /* don't allow strange characters in usernames or domains */
  alpha_strcpy(user, user, ". _-$", sizeof(user));
  alpha_strcpy(domain, domain, ". _-", sizeof(domain));
  if (strstr(user, "..") || strstr(domain,"..")) {
	  return ERROR_BOTH(NT_STATUS_LOGON_FAILURE,ERRSRV,ERRbadpw);
  }


This patch should fix it tempoarily - but don't use %U in your smb.conf,
becouse the ' could (potentially, possibly) cause problems.

Index: reply.c
===================================================================
RCS file: /data/cvs/samba/source/smbd/reply.c,v
retrieving revision 1.240.2.72
diff -u -r1.240.2.72 reply.c
--- reply.c	20 Oct 2001 21:23:51 -0000	1.240.2.72
+++ reply.c	6 Dec 2001 08:48:23 -0000
@@ -856,7 +856,7 @@
   }
 
   /* don't allow strange characters in usernames or domains */
-  alpha_strcpy(user, user, ". _-$", sizeof(user));
+  alpha_strcpy(user, user, ". _-$'", sizeof(user));
   alpha_strcpy(domain, domain, ". _-", sizeof(domain));
   if (strstr(user, "..") || strstr(domain,"..")) {
 	  return ERROR_BOTH(NT_STATUS_LOGON_FAILURE,ERRSRV,ERRbadpw);

In the long term, I'll see if we can arrange for usernames to be used
unchanged within samba - except for the %U substituions - to avoid this
in future (this is a larger change, and will require significantly more
testing).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net




More information about the samba mailing list