[Samba] User Administrator (and only it) access denied on member server

Alex Wakizashi alex at wakizashi.info
Sun Oct 27 07:59:04 MDT 2013 

Hello,

2013/10/27 steve <steve at steve-ss.com>:

>> Why for "Administrator" it looking for "SAMBA\Administrator", rather
>> than "Administrator", but for other accounts it's working correctly?
> Do you want the domain admin to be root of the linux member?
No, and I even have changed it's UID later.
Just after clean install, user "Administrator" have UID=0 - both
through winbind and nslcd.
So, "<DOMAIN>\Administrator" equals to Linux "root" by default (Which,
IMHO, is wrong - who ever trust Windows administrators? ;-) ).

But problem still exist - if connecting as domain user
"Administrator", Samba trying to start process as user
"<DOMAIN_NAME>\Administrator", while all other users are treated
normally.
It seems to be some hardcoded buggy behavior in the Samba4 code.

> If so, make a username map e.g. /home/alex/smbmap:
> !root = SAMBA\Administrator SAMBA\administrator SAMBA\\Administrator
> SAMBA\administrator
>
> (I've put the alternatives because I'm not sure if you need to escape
> the \)
>
> then put it in smb.conf:
> username map = /home/alex/smbmap

Yes, thanks a lot! Completely forgot about username mapping :)
Have created username mapping to existing user "Administrator", and
it's working now:

[2013/10/27 17:47:51.465624,  3]
../source3/smbd/sesssetup.c:138(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2013/10/27 17:47:51.465652,  3]
../source3/smbd/sesssetup.c:179(reply_sesssetup_and_X_spnego)
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2013/10/27 17:47:51.478131,  3]
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
  Found account name from PAC: Administrator []
[2013/10/27 17:47:51.478176,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [administrator at SAMBA.LOCAL.NET]
[2013/10/27 17:47:51.478224,  3] ../source3/auth/user_util.c:404(map_username)
  Mapped user SAMBA\administrator to Administrator

> I'm sure there must be an easier way but anyway. . .
Well, I'm not sure - username mapping seems to be easiest way.

But IMHO it's a BUG - and such buggy behavior somehow hardcoded somewhere...
It should work same way as for any other users, without workarounds
such as username mapping, IMHO.

> HTH
> Steve

Thanks a lot!

Regards,
  Alex

More information about the samba mailing list