map_username() inconsistencies [was Re: [Samba] Re: ADS valid users can't map share]

Gerald (Jerry) Carter jerry at
Thu Oct 21 02:21:09 GMT 2004

Hash: SHA1

I've done some more digging and the username map stuff is a little
worse than I initially thought.

(a) when 'security = user', the username map is applied before 
    the password is checked is checked.
(b) when 'security = ads', the username map is applied to 
    fully qualified names (domain\user) after the krb5 ticket
    is checked.  (see the next comment for NTLM).
(c) when 'security = domain' (or NTLM auth for ADS security),
    the username map is applied to the login name only.  The original
    domain\user is still authenticated but the UNIX identify
    is looked up in the username map.

So I guess that the cleanest way to fix this is to apply the username
map before checking authentication when validating user locally 
and apply it after authentication for domain users (krb5 & ntlm).

How do people feel about this?

cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm)      -------
GnuPG Key                ----- 
"If we're adding to the noise, turn off this song"--Switchfoot (2003)
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: For info see


More information about the samba mailing list