Re: known BUG "multi-byte character set in usernames"

Thu, 30 May 2002 07:32:45 -0700 

Hi Guenther,

Am Donnerstag, 30. Mai 2002 16:17 schrieb Guenther Deschner:
> hello,
>
> smb.conf-manpage of 2.2.5pre and HEAD states the bug of "multi-byte
> character sets in usernames":
>
> -----8<------------------snip--------------8<--------------
> BUG: There is currently a bug  in  the  implementation  of
>        security = domain with respect to multi-byte character set
>        usernames. The communication with a Domain Controller must
>        be  done  in  UNICODE  and  Samba currently does not widen
>        multi-byte user names to UNICODE correctly, thus a  multi-
>        byte  username  will  not  be  recognized correctly at the
>        Domain Controller. This  issue  will  be  addressed  in  a
>        future release.
> ----->8------------------snap-------------->8--------------
>
> will this bug be solved in the near future? in 2.2.5 or HEAD?
>
> the main problem with this is that you get crippled wellknown
> domain-groups with winbind (on suse linux 8, kernel 2.4.18, samba-2_2)
> and german NT-servers where rid200 (Domain Admins) is Domänen-Admins,
> and rid202 is Domänen-Gäste.
>
> now wbinfo -g cuts out the UTF8 chars and will show you e.g.
> DOMAIN+Domnen-Admins, DOMAIN+Domnen-Gste, etc.
>
> now you cannot set XFS-ACLs properly since neither DOMAIN+Domnen-Admins
> nor DOMAIN+Domänen-Admins does resolve back ...
>
> a simple (and ugly) workaround is to create the three domain-groups in
> question in /etc/group. with that you still have to keep an eye on the
> correct winbind-gid mapping and rid200 appears crippled in security tab.
>
> is there any other workaround for this?

I believe this is a different problem. There is just no conversion of group 
and user names to the desired character set.
With the patch below applied I get:
hasch@tower:~> getent group
...
DOMAIN\Domänen-Admins:x:10003:DOMAIN\Administrator,DOMAIN\testadmin
DOMAIN\Domänen-Gäste:x:10004:DOMAIN\Gast 
DOMAIN\Domänencomputer:x:10005:
DOMAIN\Domänencontroller:x:10006:
...

Now the correct usernames and groups are shown. I only added a few 
conversions, the correct approach would be to check all
unistr2_to_ascii calls and add dos_to_unix where neccessary.

I will generate a complete patch if the Samba team thinks it's worth
considering and I am not completely on the wrong track :-)

...Juergen

--- nsswitch/winbindd_rpc.c.orig	Thu May 30 16:25:50 2002
+++ nsswitch/winbindd_rpc.c	Sat May 25 23:49:43 2002
@@ -63,7 +63,7 @@
 		uint32 count = 0, start=i;
 		int j;
 		TALLOC_CTX *ctx2;
-
+		pstring t;
 		ctr.sam.info1 = &info1;
 
 		ctx2 = talloc_init_named("winbindd dispinfo");
@@ -92,8 +92,14 @@
 		}
 
 		for (j=0;j<count;i++, j++) {
-			(*info)[i].acct_name = unistr2_tdup(mem_ctx, &info1.str[j].uni_acct_name);
-			(*info)[i].full_name = unistr2_tdup(mem_ctx, &info1.str[j].uni_full_name);
+			unistr2_to_ascii(t, &info1.str[j].uni_acct_name, sizeof(pstring));
+			dos_to_unix(t);
+			(*info)[i].acct_name = talloc_strdup(mem_ctx, t);
+			
+			unistr2_to_ascii(t, &info1.str[j].uni_full_name, sizeof(pstring));
+			dos_to_unix(t);
+			(*info)[i].full_name = talloc_strdup(mem_ctx, t);
+			
 			(*info)[i].user_rid = info1.sam[j].rid_user;
 			/* For the moment we set the primary group for
 			   every user to be the Domain Users group.
@@ -267,6 +273,7 @@
 	POLICY_HND dom_pol, user_pol;
 	BOOL got_dom_pol = False, got_user_pol = False;
 	SAM_USERINFO_CTR *ctr;
+	pstring t;
 
 	/* Get sam handle */
 	if (!(hnd = cm_get_sam_handle(domain->name)))
@@ -300,10 +307,20 @@
 	got_user_pol = False;
 
 	user_info->group_rid = ctr->info.id21->group_rid;
-	user_info->acct_name = unistr2_tdup(mem_ctx, 
-					    &ctr->info.id21->uni_user_name);
-	user_info->full_name = unistr2_tdup(mem_ctx, 
-					    &ctr->info.id21->uni_full_name);
+	
+	unistr2_to_ascii(t, &ctr->info.id21->uni_user_name, sizeof(pstring));
+	dos_to_unix(t);
+	user_info->acct_name = talloc_strdup(mem_ctx, t);
+	
+	unistr2_to_ascii(t, &ctr->info.id21->uni_full_name, sizeof(pstring));
+	dos_to_unix(t);
+	user_info->full_name = talloc_strdup(mem_ctx, t);
+
 
  done:
 	/* Clean up policy handles */
--- libsmb/cli_samr.c.orig	Thu May 30 16:30:33 2002
+++ libsmb/cli_samr.c	Sat May 25 23:30:51 2002
@@ -569,6 +569,7 @@
 			unistr2_to_ascii((*dom_groups)[i].acct_name,
 					 &r.uni_grp_name[name_idx],
 					 sizeof(fstring) - 1);
+			dos_to_unix((*dom_groups)[i].acct_name);
 			name_idx++;
 		}
 
@@ -647,6 +648,7 @@
 			unistr2_to_ascii((*dom_groups)[i].acct_name,
 					 &r.uni_grp_name[name_idx],
 					 sizeof(fstring) - 1);
+			dos_to_unix((*dom_groups)[i].acct_name);
 			name_idx++;
 		}
 
@@ -938,6 +940,7 @@
 		fstring tmp;
 
 		unistr2_to_ascii(tmp, &r.uni_name[i], sizeof(tmp) - 1);
+		dos_to_unix(tmp);
 		(*names)[i] = talloc_strdup(mem_ctx, tmp);
 		(*name_types)[i] = r.type[i];
 	}
--- rpcclient/cmd_samr.c.orig	Sun Apr  7 10:10:35 2002
+++ rpcclient/cmd_samr.c	Thu May 30 16:38:36 2002
@@ -35,9 +35,11 @@
 	fstring temp;
 
 	unistr2_to_ascii(temp, &usr->uni_user_name, sizeof(temp)-1);
+	dos_to_unix(temp);
 	printf("\tUser Name   :\t%s\n", temp);
 	
 	unistr2_to_ascii(temp, &usr->uni_full_name, sizeof(temp)-1);
+	dos_to_unix(temp);
 	printf("\tFull Name   :\t%s\n", temp);
 	
 	unistr2_to_ascii(temp, &usr->uni_home_dir, sizeof(temp)-1);

Reply via email to