I've got a samba 3 box that's part of an AD domain. It works correctly for most users; but there was a problem where certain users couldn't connect. We'd get a log message that looks like this:
Username SAMPLE.COM\pcuser is invalid on this system
It turns out that the users who could not connect are those who have a different unix username then their AD username. Even though I have a username map file set up, samba didn't seem to be using it.
This bug appeared somewhere between 3.0.2a and 3.0.6. When we were on 3.0.2a, the username map worked.
I looked at the code, and found a problem in smbd/sesssetup.c: reply_spnego_kerberos() calls map_username() with "DOMAIN\username" but map_username() expects the username without the domain.
So, as a workaround, I could change my usermap file to include the domain with the usernames; e.g.,
unixuser = pcuser SAMPLE.COM\pcuser
but that's kind of clunky. So instead I modified sessetup.c as shown in the attached patch.
--- sesssetup.c.dist 2004-07-08 12:06:10.000000000 -0500
+++ sesssetup.c 2004-10-07 12:41:35.643671676 -0500
@@ -153,7 +153,7 @@
DATA_BLOB session_key = data_blob(NULL, 0);
uint8 tok_id[2];
DATA_BLOB nullblob = data_blob(NULL, 0);
- fstring real_username;
+ fstring real_username, mapped_client;
ZERO_STRUCT(ticket);
ZERO_STRUCT(auth_data);
@@ -238,12 +238,13 @@
}
}
- asprintf(&user, "%s%c%s", domain, *lp_winbind_separator(), client);
+ fstrcpy(mapped_client, client);
+ map_username(mapped_client);
+
+ asprintf(&user, "%s%c%s", domain, *lp_winbind_separator(), mapped_client);
/* lookup the passwd struct, create a new user if necessary */
- map_username( user );
-
pw = smb_getpwnam( user, real_username, True );
if (!pw) {
PGP.sig
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
