[Samba] (retry) 3.0.7: username map doesn't work with security=ADS

Heath Kehoe hakehoe at avalon.net
Fri Oct 8 16:03:55 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(OK, my first message got mangled because of the attachments, so I'm 
reposting)

I've got a samba 3 box that's part of an AD domain.  It works correctly
for most users; but there was a problem where certain users couldn't
connect.  We'd get a log message that looks like this:

Username SAMPLE.COM\pcuser is invalid on this system

It turns out that the users who could not connect are those who have a
different unix username then their AD username.  Even though I have a
username map file set up, samba didn't seem to be using it.

This bug appeared somewhere between 3.0.2a and 3.0.6.  When we were on
3.0.2a, the username map worked.

I looked at the code, and found a problem in smbd/sesssetup.c:
reply_spnego_kerberos() calls map_username() with "DOMAIN\username"
but map_username() expects the username without the domain.

So, as a workaround, I could change my usermap file to include the
domain with the usernames; e.g.,

unixuser = pcuser SAMPLE.COM\pcuser

but that's kind of clunky.  So instead I created a patch for
source/smbd/sesssetup.c, which I put here:

http://www.avalon.net/~hakehoe/diff1.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBZrp64uXPAG0A1J4RAoNFAJwMH1iAArYJA6RIDIECNIIsgl6q+ACcCtcK
c1R0Xg1ureKLzMobLB4P+sE=
=ghP7
-----END PGP SIGNATURE-----



More information about the samba mailing list