[Samba] known bug in samba: Re: Winbind user/group name case change
samba at tlinx.org
Thu Sep 18 10:26:20 MDT 2014
Alexander Werth wrote:
> I did dig through older commits and mails on samba-technical.
> Apparently the problem with the enforced lower case is related to the
> homedir parameter %U. Since 3.0.7 cached the reverse mapping sid->name
> for name->sid lookups the entries in the cache didn't match the home
> directory anymore and failed. By always enforcing lower case names this
> had been worked around even for customers with existing cache entries.
> At that time (2004) no problem was foreseen with this approach since
> windows is case insensitive.
> So just removing the enforced lower for everyone would mess up the home
> directories for current users and also generate inconsistent output
> until the winbind cache get's cleared.
> But with a toggle to enable it in a controlled manner the winbind
> preserve case should be save.
The problem was for those who tried to use Samba as a single-source
authentication mechanism for both linux and Windows.
While this may have created a benefit for some linux users w/lower
case homedirs. It causes problems for those logging in with 'ssh' or doing
any other type of authentication OTHER than samba-file authentication.
Main issues were with logins that were upper-cased by MS by default, as
well as mangling of domain names. I'm not exactly sure when, but I used
to have a leading upper case domain name.. at some point it was forced to
all upper case, but in some situations it expected lower case.
As it was/is, I have to have at least 2 and
as may as 3 variations (Domain/DOMAIN/domain) variations in my etc/passwd
for various logins, groups and machine names... I see initial caps for
many things, upper case for domains and machines, and some lower case
Additionally, I had problems with home directory login due to the
case being mangle...where I'd had Domain/user for years, back some numbers
of years ago(2004? 2006... dunno exactly) had to create
symlinks for home directories that made it so upper case could equate to
mixed or lower case.
So the problem *did* come up .. just that it didn't come up for
everyone, and anyone who had a problem was expected to change their
Basically, anything that used pam for authentication had problems.
I still feel a bit weird having usernames like "Domain\root" in my
/etc/passwd. It works with most login/authentication mechanisms...
I also try to keep my passwd and group ID's uniq and keep the
MS-group names in my /etc/group file... thinks like:
Remote Desktop Users:!:555:lw,root,Home\sam
Terminal Server Users:!:11513:sam,root
having that along with codes for trust levels like:
Low Mandatory Level:!:11604096:
High Mandatory Level:!:11612288:
System Mandatory Level:!:11616384:root
Allows me to see those tokens in my login "groups" when I login
to windows on cygwin...
Besides, if you have xfs, you can always set it to be case insensitive,
which would solve the problem for most home directories (only ascii
range, not utf8 which wasn't even around when xfs was designed).
In any event, I'm all in favor of *options*, rather than forcing
things on people....
Has that been made a part of the mainline yet or will it have to be
renamed "allow insecure case choice" to be accepted... ;-)
(cf. "allow insecure widelinks" vs. "allow client managed widelinks").
Thanks for the background... but I ran into all those problems because
I already had Upper and Lower case names porting from Windows...
More information about the samba