[Samba] Winbind separator char causing make_server_info_from_pw

malk at sidehack.sat.gweep.net malk at sidehack.sat.gweep.net
Tue Dec 14 17:21:21 GMT 2004 

As I described below, the only config change I made was to remove
my setting for winbind separator char so it would default back to
"\" instead of the "-" I was using.  Then all of the 
make_server_info_from_pw failed errors went away.

Another user on the list was having the same issue and he's going
to test to see if it fixes his setup.  His separator is a "+" and
he's going to simply remove the one line for winbind separator
char in his config (posting back on november 18th or so on the
list)

The same config on 3.0.2 says "connect to service debian-mirror
initially as user emalkowski" and no errors in the log.

On 3.0.8 as shown below, it says "connect to service debian-mirror
initially as user VIASAT-emalkowski" and then I get tons of 
make_server_info_from_pw failed errors browsing around the share.

By not setting winbind separator char to "-" in smb.conf
(verified w/ testparm -v that winbind separator went back to
default of "\", I get "connect to service debian-mirror initially
as user VIASAT\emalkowski" and no more make_server_info_from_pw
failed errors.

Also -- how could it be some other configuration change when the
only config I changed was to stop overriding winbind separator
char?  Seems pretty obvious to me my single line change to smb.conf
fixed the problem and clearly since it changed from VIASAT-emalkowski
to VIASAT\emalkowski and the problem went away, it's the correct
fix.  Also -- on 3.0.2, separator char doesn't introduce issues
because the domain and separator aren't included -- just the plain
username in the "connect to service debian-mirror initially as
user emalkowski".

Do you still want more proof?  If so I can go back to 3.0.2 and
forward to 3.0.8 and include all logs and smb.conf -- it's pretty
easy to reproduce.

Or -- to see it yourself, on a box that's an ADS domain member of
a Windows server 2003 domain, set the winbind separtor to something
other than "\" and browse some shares (you must have winbind of 
course supplying your pw entries and winbind in /etc/nsswitch.conf).
and enjoy the spew of annoying make_server_info_from_pw failed
errors when windows dislikes names like DOMAIN+username or
DOMAIN-username instead of DOMAIN\username...

-E

> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> malk at sidehack.sat.gweep.net wrote:
> 
> | In 3.0.8, users connections would have the domain
> | and separator char for spnego kerberos replies and
> | if the separator is something other than
> | the default of \, it will cause errors like this:
> 
> 
> I don't think this is correct.  Your statement about the
> winbind separator.  If you can prove to me that it was
> the separator character causing your problems, then we'll
> fix it.  I think that you likely had some other configuration
> error.
> 
> I'll gladly change my mind if you help me find such a bug
> in our code.
> 
> 
> 
> 
> 
> cheers, jerry
> |
> | [2004/12/13 17:44:21, 1] smbd/service.c:make_connection_snum(648)
> |   192.168.171.131 (192.168.171.131) connect to service debian-mirror
> initially as user VIASAT-emalkowski (uid=10356, gid=10000) (pid 11519)
> | [2004/12/13 17:44:22, 1] smbd/sesssetup.c:reply_spnego_kerberos(265)
> |   make_server_info_from_pw failed!
> | [2004/12/13 17:44:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(265)
> |   make_server_info_from_pw failed!
> | [2004/12/13 17:44:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(265)
> |   make_server_info_from_pw failed!
> | [2004/12/13 17:44:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(265)
> |   make_server_info_from_pw failed!
> | [2004/12/13 17:44:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(265)
> |   make_server_info_from_pw failed!
> |
> |
> | It seems the VIASAT-emalkowski is confusing windows -- it would rather see
> | VIASAT\emalkowski.
> |
> | Anyway -- I simply removed my winbind separator char override from
> smb.conf
> | as I use "winbind use default domain = yes" anyway making the separator
> | setting a relic from the days I had DOMAIN-usernames in the pw entries
> winbind
> | provided.
> |
> | Perhaps a note in the documentation might be a good idea to warn the user
> | about changing the winbind separator char from "\" and how it could cause
> | errors like above since the separator is affecting what gets sent back
> | as the username to a windows domain controller and anything other than "\"
> | will seems to cause havoc.
> |
> | Hope this post will help anyone having similar problems ... this one
> | didn't seem too obvious to me until I noticed the DOMAIN-username in
> the logs
> | on 3.0.8, but only username in the logs on 3.0.2.  Once DOMAIN\username
> | was in the logs, all was well.
> |
> | -Eric Malkowski
> 
> 
> - --
> - ---------------------------------------------------------------------
> Alleviating the pain of Windows(tm)      ------- http://www.samba.org
> GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
> "If we're adding to the noise, turn off this song"--Switchfoot (2003)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFBvmsGIR7qMdg1EfYRAmZPAKDBhVZYU6p2MozFMwyeZt3AzlFmfwCgipY0
> Xvvk9YkC8m2t1X5+Prla7Q0=
> =+kdA
> -----END PGP SIGNATURE-----
>

More information about the samba mailing list