[Samba] winbind and case sensitivity

[Brian J. Murrell]

On Tue, 2004-02-10 at 06:32, Andrew Bartlett wrote:
> On Tue, 2004-02-03 at 23:12, Brian J. Murrell wrote:
> 
> I don't know for sure, but that is how I would expect it to work.

Me too, which is why the users would be instructed that they must use
all lowercase when they type their account in, which I suspect is what
they do anyway.

> > But the problem then is that when the PDC returns usernames in the
> > format "Firstname" (first letter capped), and they log in with
> > "firstname", there is no matching account.  

What I mean by "PDC returns", is for example the output of a getent
passwd.  There are two things that winbind does for providing
authentication systems for a mail system.

Of course, it verifies a username/password pair with an yes/no type
answer and for that I suppose it does not matter what the case mixture
of the username is.

However it also provides "getent passwd" type support so that an MTA
(like Postfix) can query for the "existence" of a user (for determining
if mail should be accepted or rejected) when an e-mail arrives for
<a_user>@<domain>.  It is this latter function that is being fouled up
by mixed case usernames.

To follow an example of where this is a problem, we have a user in the
NT PDC as "Brian".  An e-mail arrives for "brian at example.com".  First
Postfix uses (the C library equivalent of) "getent" to get a list of
users in the passwd database (of which it gets NT PDC users as well) and
sees if "brian" is one of them.  It is not.  The getent function
returned "Brian" from the NT PDC.  Reject mail as "no such account
here".

If the getent function returned data from the NT PDC in lowercase this
would not be a failure and the mail would be accepted and given off to
Cyrus to deliver.  Because we can force Cyrus to convert the recipient
name to lowercase, we can control the case of the mailboxes.

> There is a matching account, but not a matching IMAP folder.  I'm
> assuming this is what you mean anyway...

Well there is this problem too, but this is solved by either educating
the users to always enter their usernames in lowercase, or perhaps by
using a PAM module/option which converts what they enter as a username
into lowercase before doing anything else.

> Samba

Are you using Samba as a generic term encompassing winbind services?  My
issues only relate to getting information from winbind.

> will answer to any username, and will return the user-name
> *either* per the NT database, or as the user sent it (depending on the
> backend).  I would accept a patch that made samba 'forced' to lower
> case.  (It would lowercase all output, and force all input to be in
> lower case).

Well, it seems to me that forcing anything to lowercase in the case of
winbind is only really relevant for the function(s) that answer queries
to enumerate the database entries (getpwent for example).

> Samba never gives information to PAM, only 'yes/no' on the password.  It
> does return information to nss_ldap however.

Winbind does return data to getpwent type queries, and it's the username
in this data being mixed case that is the problem.

I'm not advocating the folding of case anywhere else in the Samba
project at this point except for winbind returning data to getpwent type
queries.

> In some ways it is, but the main issue is in what users enter in logon
> boxes...

Yes, that is one issue, and it can be solved with education or other
intervening technology (like PAM) but winbind still needs to have an
option to force lowercase when returning data to "pwent" queries.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040210/1aa8a8a8/attachment.bin