[Samba] 3.0.20 usermap script execution

Montenegro, Michael H (Michael) mhm4 at lucent.com
Wed Jan 4 23:11:45 GMT 2006 

Thanks for your reply Jerry.
After reviewing the code, it seems like samba is sending both the unqualified name as well as the fully qualified name to address backwards compatibility.  Looking at the release notes from 3.0.8, I see that development decided to "only support reading the fully qualified username" for consistency with Kerberos. Therefore, user.maps should contain unix login to fully qualified user name mappings only.  I believe if the code was changed to only pass the fully qualified username to the username map script, it should not affect any functionality since the user.map is already being forced to be in the fully qualified domain format.

Michael Montenegro

P.S. "canonicalize" sounds made up. :^)


lib/username.c
/*******************************************************************
 Map a username from a dos name to a unix name by looking in the username
 map. Note that this modifies the name in place.
 This is the main function that should be called *once* on
 any incoming or new username - in order to canonicalize the name.
 This is being done to de-couple the case conversions from the user mapping
 function. Previously, the map_username was being called
 every time Get_Pwnam was called.
 Returns True if username was changed, false otherwise.
********************************************************************/

Samba 3.0.8 release notes:
======================
Change in Username Map
======================

Previous Samba releases would only support reading the fully qualified 
username (e.g. DOMAIN\user) from the username map when performing a 
kerberos login from a client.  However, when looking up a map 
entry for a user authenticated by NTLM[SSP], only the login name would be
used for matches.  This resulted in inconsistent behavior sometimes
even on the same server.

Samba 3.0.8 obeys the following rules when applying the username
map functionality:

  * When performing local authentication, the username map is 
    applied to the login name before attempting to authenticate 
    the connection.
  * When relying upon a external domain controller for validating
    authentication requests, smbd will apply the username map 
    to the fully qualified username (i.e. DOMAIN\user) only
    after the user has been successfully authenticated.




 -----Original Message-----
From: 	Gerald (Jerry) Carter [mailto:jerry at samba.org] 
Sent:	Wednesday, January 04, 2006 3:13 PM
To:	Montenegro, Michael H (Michael)
Cc:	'samba at lists.samba.org'
Subject:	Re: [Samba] 3.0.20 usermap script execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Montenegro, Michael H (Michael) wrote:
> I have created a mapusers.bash script (listed below) for 
> mapping Active Directory handles to unix logins.  This
> script is currently working as documented.  I would like
> some insight into how and when this script gets called.  I
> assumed that upon establishing each samba connection, after
> the active directory handle gets authenticated with the domain
> controller it passes the domain\handle to this script to
> determine the unix login to use.  However, it seems to
> execute this script multiple times to establish a connection.
> I have tested this out by clearing the cache using nbtstat
> -R on the client and running smbstatus -u username and
> killing the procids then reconnecting.  Samba consistently
> will pass just the active directory handle without the
> domain first which succeeds because my script will find the
> correct unix login to map to without the domain.  Immediately
> after, Samba will pass the script the domain\handle which will
> also succeed. Why is this?

grep for map_username() in the samba source tree.  Everytime
that function get's called, you script will be called assuming
smbd is trying to map a new name.  Samba has to jump through a
lot of hoops when is comes to usernames which is why it
frequently tries to lookup the unqualified name as well as the
fully qualified version.


cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"There's an anonymous coward in all of us."               --anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDvDpuIR7qMdg1EfYRAsorAJ9jbdCKsGpMvd4XUPIsVtCBy5OYwACgjLlY
fuXBc+g9F2UquvQMsHtGz34=
=CQZ8
-----END PGP SIGNATURE-----

More information about the samba mailing list