On Wed, Aug 24, 2005 at 03:26:23PM -0400, Boehm, Eric [GWRTP:CM21:EXCH] wrote:
>>>>> "Eric" == Boehm, Eric [GWRTP:CM21:EXCH] <Boehm> writes:
Eric> I'm a bit puzzled. I am able to map an account without any
Eric> problem on Samba 2.2.8a (security=domain). However, access
Eric> fails with Samba 3.0.14a when everything else is the same
Eric> (same configuration files).
Eric> Any advice as to the cause of the problems (and its
Eric> solution) would be appreciated.
I'll follow up and answer my own question. The problem is that I
didn't understand the Release notes for 3.0.8
======================
Change in Username Map
======================
Previous Samba releases would only support reading the fully qualified
username (e.g. DOMAIN\user) from the username map when performing a
kerberos login from a client. However, when looking up a map
entry for a user authenticated by NTLM[SSP], only the login name would be
used for matches. This resulted in inconsistent behavior sometimes
even on the same server.
Samba 3.0.8 obeys the following rules when applying the username
map functionality:
* When performing local authentication, the username map is
applied to the login name before attempting to authenticate
the connection.
* When relying upon a external domain controller for validating
authentication requests, smbd will apply the username map
to the fully qualified username (i.e. DOMAIN\user) only
after the user has been successfully authenticated.
Previously, I had used
unix_user = windows_user
After reading the notes above, I tried
DOMAIN\unix_user = windows_user
I should have used (and this did work)
unix_user = DOMAIN\windows_user
--
Eric M. Boehm /"\ ASCII Ribbon Campaign
boehm at nortel.com \ / No HTML or RTF in mail
X No proprietary word-processing
Respect Open Standards / \ files in mail