[Samba] (retry) 3.0.7: username map doesn't work with security=ADS
hakehoe at avalon.net
Fri Oct 8 16:03:55 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
(OK, my first message got mangled because of the attachments, so I'm
I've got a samba 3 box that's part of an AD domain. It works correctly
for most users; but there was a problem where certain users couldn't
connect. We'd get a log message that looks like this:
Username SAMPLE.COM\pcuser is invalid on this system
It turns out that the users who could not connect are those who have a
different unix username then their AD username. Even though I have a
username map file set up, samba didn't seem to be using it.
This bug appeared somewhere between 3.0.2a and 3.0.6. When we were on
3.0.2a, the username map worked.
I looked at the code, and found a problem in smbd/sesssetup.c:
reply_spnego_kerberos() calls map_username() with "DOMAIN\username"
but map_username() expects the username without the domain.
So, as a workaround, I could change my usermap file to include the
domain with the usernames; e.g.,
unixuser = pcuser SAMPLE.COM\pcuser
but that's kind of clunky. So instead I created a patch for
source/smbd/sesssetup.c, which I put here:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
-----END PGP SIGNATURE-----
More information about the samba