[Samba] "@" doesn't work in the NT domain name
abartlet at samba.org
Sat Sep 21 13:40:01 GMT 2002
Gerald Carter wrote:
> On Thu, 19 Sep 2002 dave.andruczyk at valeo.com wrote:
> > I am part of a large worldwide Active Directory and all of our individual
> > site NT domain names have an ampersand symbol in them
> > (for example: VWS at ROCHESTER) Samba 2.2.6pre2 and older won't join this
> > domain name, or allow connections to it from users in this domain. The
> > logs state that the domain name is "VWS_ROCHESTER", the code is squashing
> > the @ to an _ causing all authentification attempts to fail. Since we are
> > migrating to this domain, all of our samba servers will NOT function for
> > users connecting from the AD domains due to the domain-name mangling.
> > I was told this was done as part of a security audit to the samba code, but
> > it breaks compatibility in a major way. Ampersands are VALID in a netbios
> > domain name, just not in a machine name (AFAIK), but samba doesn't comply
> > in this regard. Since changing the netbios domain names of our win2k
> > domains is not possible, I need a fix ASAP. Any suggestions?
> grrr... I hate that alpha_strcpy() code. I'll get you a fix today.
> Can you send me a level 10 debug log of the failure?
It also catches people with names like O'Reilly (often used with
username map). The issue is fixing this while keeping a lit on the %U
macro games - particulary with things like 'security=server' and 'add
user script' etc.
In Samba HEAD we come much closer to being able to have a 'safe'
username for %U etc, and an 'unsafe' name for internal use. Most of the
work remaining is a good code audit...
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba