On Wed, Oct 20, 2004 at 09:21:09PM -0500, Gerald (Jerry) Carter wrote: | I've done some more digging and the username map stuff is a little | worse than I initially thought. | | (a) when 'security = user', the username map is applied before | the password is checked is checked. | (b) when 'security = ads', the username map is applied to | fully qualified names (domain\user) after the krb5 ticket | is checked. (see the next comment for NTLM). | (c) when 'security = domain' (or NTLM auth for ADS security), | the username map is applied to the login name only. The original | domain\user is still authenticated but the UNIX identify | is looked up in the username map. | | So I guess that the cleanest way to fix this is to apply the username | map before checking authentication when validating user locally | and apply it after authentication for domain users (krb5 & ntlm). | | How do people feel about this?
We need to fix it and document that security={domain,ads} requires
the leading "DOMAIN\" in `username map' and `admin users';
I got bitten by this recently (trying to map "DOMAIN\administrator"
to root AKA uid==0).
There's a related issue though. Right now, it's hard to support:
* ADS for authentication
* NIS for username<->UID mapping (or another nsswitch.conf source)
* winbindd for IDmap faked UIDs as a fallback for people not in NIS.
* nsswitch.conf passwd: files nis winbind
because it appears that smbd looks up DOMAIN\user, gets a miss in NIS
(via getpwnam(3)) and then winbindd fakes up a UID _before_ smbd gets a
chance to try getpwnam(3) on the name with the leading "DOMAIN\"
stripped. Is there a workaround for this configuration?
pgp1TWt5YAVGx.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
