I've got a samba 3 box that's part of an AD domain.  It works correctly
for most users; but there was a problem where certain users couldn't
connect.  We'd get a log message that looks like this:

Username SAMPLE.COM\pcuser is invalid on this system

It turns out that the users who could not connect are those who have a
different unix username then their AD username.  Even though I have a
username map file set up, samba didn't seem to be using it.

This bug appeared somewhere between 3.0.2a and 3.0.6.  When we were on
3.0.2a, the username map worked.

I looked at the code, and found a problem in smbd/sesssetup.c:
reply_spnego_kerberos() calls map_username() with "DOMAIN\username"
but map_username() expects the username without the domain.

So, as a workaround, I could change my usermap file to include the
domain with the usernames; e.g.,

unixuser = pcuser SAMPLE.COM\pcuser

but that's kind of clunky.  So instead I modified sessetup.c as
shown in the attached patch.

--- sesssetup.c.dist    2004-07-08 12:06:10.000000000 -0500
+++ sesssetup.c 2004-10-07 12:41:35.643671676 -0500
@@ -153,7 +153,7 @@
        DATA_BLOB session_key = data_blob(NULL, 0);
        uint8 tok_id[2];
        DATA_BLOB nullblob = data_blob(NULL, 0);
-       fstring real_username;
+       fstring real_username, mapped_client;
 
        ZERO_STRUCT(ticket);
        ZERO_STRUCT(auth_data);
@@ -238,12 +238,13 @@
                }
        }
 
-       asprintf(&user, "%s%c%s", domain, *lp_winbind_separator(), client);
+       fstrcpy(mapped_client, client);
+       map_username(mapped_client);
+
+       asprintf(&user, "%s%c%s", domain, *lp_winbind_separator(), mapped_client);
        
        /* lookup the passwd struct, create a new user if necessary */
 
-       map_username( user );
-
        pw = smb_getpwnam( user, real_username, True );
        
        if (!pw) {

Attachment: PGP.sig
Description: This is a digitally signed message part

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to