[Samba] Mac OS and interpretation of @ in a username. Ex user at mds.xyz doesn't work on Mac OS but does on Win 10
TomK
tomkcpr at mdevsys.com
Sun Feb 23 16:05:38 UTC 2020
On 2/21/2020 9:18 PM, Andrew Bartlett via samba wrote:
> On Fri, 2020-02-21 at 20:48 -0500, TomK wrote:
>>
>>
>>>
>>> "Sadly this really appears to be is a client issue. You see there the
>>> string Samba gets, so by the time Samba tries the process it the @ is
>>> already interpreted and the string split.
>>>
>>> Sorry!
>>>
>>> Andrew Bartlett"
>>>
>>> Yeah, wondering if there is a way to tell Samba NOT to split that up and
>>> treat joe at mds.xyz as a single user. This works fine in Win 10 so I
>>> agree, it's probably a client SMB configuration issue but would like to
>>> know exactly what that config issue is.
>>>
>>
>> + or what paramaters I could change to ensure the string isn't split up.
>
> You can't change it on the Samba side, you could try logging in as
> SERVER\joe at mds.xyz or see if you can re-map it server-side with the
> various username map options.
>
> You need to realise that the protocol has a domain field and a username
> one. Well behaved clients know that user at realm style usernames need to
> all be in the username field, not split up client-side (and left to the
> DC to interpret), but even Samba got this wrong for quite some time.
>
> I hope this helps,
>
> Andrew Bartlett
>
I'm seeing what you mean. I'll have to read into the server-side re-map
options. No idea where to find them (yet).
Looking at the attached logs however, appears the server is already
getting the split user. Or am I reading that incorrectly?
Attached a log. Right side is the successful WIN 10 login. And left
side is the unsuccessful Macbook login session.
--
Thx,
TK.
-------------- next part --------------
doing parameter security = user | doing parameter security = user
doing parameter valid users = %S, %D%w%S | doing parameter valid users = %S, %D%w%S
doing parameter valid users = joe at mds.xyz | doing parameter valid users = joe at mds.xyz
doing parameter valid users = bob at mds.xyz | doing parameter valid users = bob at mds.xyz
doing parameter valid users = root | doing parameter valid users = root
Got user=[joe] domain=[mds.xyz] workstation=[MACBOOKPRO-0138] len1=24 len2=222 | Got user=[joe] domain=[joe-PC] workstation=[JOE-PC] len1=24 len2=284
doing parameter security = user | doing parameter security = user
doing parameter valid users = %S, %D%w%S | doing parameter valid users = %S, %D%w%S
doing parameter valid users = joe at mds.xyz | doing parameter valid users = joe at mds.xyz
doing parameter valid users = bob at mds.xyz | doing parameter valid users = bob at mds.xyz
doing parameter valid users = root | doing parameter valid users = root
check_ntlm_password: Checking password for unmapped user [mds.xyz]\[joe]@[MACBOOKPRO-0138| check_ntlm_password: Checking password for unmapped user [joe-PC]\[joe]@[JOE-PC] with the
check_ntlm_password: mapped user is: [mds.xyz]\[joe]@[MACBOOKPRO-0138] | check_ntlm_password: mapped user is: [joe-PC]\[joe]@[JOE-PC]
check_sam_security: Couldn't find user 'joe' in passdb. | check_sam_security: Couldn't find user 'joe' in passdb.
check_ntlm_password: Authentication for user [joe] -> [joe] FAILED with error NT_STATUS_N| check_ntlm_password: Authentication for user [joe] -> [joe] FAILED with error NT_STATUS_N
Auth: [SMB2,(null)] user [mds.xyz]\[joe] at [Sat, 22 Feb 2020 21:59:16.669942 EST] with [N| Auth: [SMB2,(null)] user [joe-PC]\[joe] at [Sat, 22 Feb 2020 21:54:48.742407 EST] with [NT
SPNEGO login failed: NT_STATUS_NO_SUCH_USER | SPNEGO login failed: NT_STATUS_NO_SUCH_USER
Got user=[joe] domain=[NFS03] workstation=[MACBOOKPRO-0138] len1=24 len2=222 | --------------------------------------------------------------------------------------------
doing parameter security = user | doing parameter security = user
doing parameter valid users = %S, %D%w%S | doing parameter valid users = %S, %D%w%S
doing parameter valid users = joe at mds.xyz | doing parameter valid users = joe at mds.xyz
doing parameter valid users = bob at mds.xyz | doing parameter valid users = bob at mds.xyz
doing parameter valid users = root | doing parameter valid users = root
check_ntlm_password: Checking password for unmapped user [NFS03]\[joe]@[MACBOOKPRO-0138] | Got user=[joe at mds.xyz] domain=[] workstation=[JOE-PC] len1=24 len2=284
check_ntlm_password: mapped user is: [NFS03]\[joe]@[MACBOOKPRO-0138] | --------------------------------------------------------------------------------------------
check_sam_security: Couldn't find user 'joe' in passdb. | --------------------------------------------------------------------------------------------
check_ntlm_password: Authentication for user [joe] -> [joe] FAILED with error NT_STATUS_N| --------------------------------------------------------------------------------------------
Auth: [SMB2,(null)] user [NFS03]\[joe] at [Sat, 22 Feb 2020 21:59:16.684420 EST] with [NTL| --------------------------------------------------------------------------------------------
SPNEGO login failed: NT_STATUS_NO_SUCH_USER | --------------------------------------------------------------------------------------------
Got user=[joe] domain=[mds.xyz@\192.168.0.80] workstation=[MACBOOKPRO-0138] len1=24 len2=2| --------------------------------------------------------------------------------------------
doing parameter security = user | doing parameter security = user
doing parameter valid users = %S, %D%w%S | doing parameter valid users = %S, %D%w%S
doing parameter valid users = joe at mds.xyz | doing parameter valid users = joe at mds.xyz
doing parameter valid users = bob at mds.xyz | doing parameter valid users = bob at mds.xyz
doing parameter valid users = root | doing parameter valid users = root
check_ntlm_password: Checking password for unmapped user [mds.xyz@\192.168.0.80]\[joe]@[M| check_ntlm_password: Checking password for unmapped user []\[joe at mds.xyz]@[JOE-PC] with t
check_ntlm_password: mapped user is: [mds.xyz@\192.168.0.80]\[joe]@[MACBOOKPRO-0138] | check_ntlm_password: mapped user is: []\[joe at mds.xyz]@[JOE-PC]
check_sam_security: Couldn't find user 'joe' in passdb. | Forcing Primary Group to 'Domain Users' for joe at mds.xyz
check_ntlm_password: Authentication for user [joe] -> [joe] FAILED with error NT_STATUS_N| sam_account_ok: Checking SMB password for user joe at mds.xyz
Auth: [SMB2,(null)] user [mds.xyz@\\192.168.0.80]\[joe] at [Sat, 22 Feb 2020 21:59:16.7002| auth_check_ntlm_password: sam_ignoredomain authentication for user [joe at mds.xyz] succeeded
SPNEGO login failed: NT_STATUS_NO_SUCH_USER | Auth: [SMB2,(null)] user []\[joe at mds.xyz] at [Sat, 22 Feb 2020 21:54:57.695819 EST] with [
--------------------------------------------------------------------------------------------| check_ntlm_password: authentication for user [joe at mds.xyz] -> [joe at mds.xyz] -> [joe at mds.x
--------------------------------------------------------------------------------------------| Successful AuthZ: [SMB2,NTLMSSP] user [NFS03]\[joe at mds.xyz] [S-1-5-21-958209520-3148420287
--------------------------------------------------------------------------------------------| Adding homes service for user 'joe at mds.xyz' using home directory: '/home/mds.xyz/joe'
--------------------------------------------------------------------------------------------| adding home's share [joe at mds.xyz] for user 'joe at mds.xyz' at '/home/mds.xyz/joe'
--------------------------------------------------------------------------------------------| joe-pc (ipv4:192.168.0.76:50647) connect to service IPC$ initially as user joe at mds.xyz (ui
--------------------------------------------------------------------------------------------| Forcing Primary Group to 'Domain Users' for joe at mds.xyz
--------------------------------------------------------------------------------------------| Forcing Primary Group to 'Domain Users' for joe at mds.xyz
More information about the samba
mailing list