map_username() inconsistencies [was Re: [Samba] Re: ADS valid users can't map share]

Luke Mewburn luke at mewburn.net
Thu Oct 21 05:20:44 GMT 2004 

On Wed, Oct 20, 2004 at 09:21:09PM -0500, Gerald (Jerry) Carter wrote:
  | I've done some more digging and the username map stuff is a little
  | worse than I initially thought.
  | 
  | (a) when 'security = user', the username map is applied before 
  |     the password is checked is checked.
  | (b) when 'security = ads', the username map is applied to 
  |     fully qualified names (domain\user) after the krb5 ticket
  |     is checked.  (see the next comment for NTLM).
  | (c) when 'security = domain' (or NTLM auth for ADS security),
  |     the username map is applied to the login name only.  The original
  |     domain\user is still authenticated but the UNIX identify
  |     is looked up in the username map.
  | 
  | So I guess that the cleanest way to fix this is to apply the username
  | map before checking authentication when validating user locally 
  | and apply it after authentication for domain users (krb5 & ntlm).
  | 
  | How do people feel about this?

We need to fix it and document that security={domain,ads} requires
the leading "DOMAIN\" in `username map' and `admin users';
I got bitten by this recently (trying to map "DOMAIN\administrator"
to root AKA uid==0).

There's a related issue though.  Right now, it's hard to support:
	* ADS for authentication
	* NIS for username<->UID mapping (or another nsswitch.conf source)
	* winbindd for IDmap faked UIDs as a fallback for people not in NIS.
	* nsswitch.conf  passwd: files nis winbind
because it appears that smbd looks up DOMAIN\user, gets a miss in NIS
(via getpwnam(3)) and then winbindd fakes up a UID _before_ smbd gets a
chance to try getpwnam(3) on the name with the leading "DOMAIN\"
stripped.  Is there a workaround for this configuration?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20041021/3582b360/attachment.bin

More information about the samba mailing list