Why do you prefix the username with the domain and "+" sign ?
I do auth through PAM + Winbind/Kerberos to a real Active Directory (not a
Samba domain master) and I don't have to add the domain prefix so my usernames
are simply the login part.
You'll need to configure Kerberos though to make this work but this is in a
real AD scenario, not sure what to do with a Samba domain.
Here is my smb.conf if it can help :
[global]
security = ads
realm = <my AD domain>
workgroup = <my AD short domain name>
idmap uid = 10000-20000
idmap gid = 10000-20000
idmap config * :backend =rid
idmap config * :base_rid = 0
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
winbind refresh tickets = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
kerberos method = system keytab
Regards,
Walid Moghrabi
TRAVAUX.COM
BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403
13591 AIX EN PROVENCE CEDEX 3
----- Mail original -----
De: "Joost Rohde" <[email protected]>
À: [email protected]
Envoyé: Mardi 20 Mars 2018 11:22:40
Objet: Re: [X2Go-Dev] Effective username not correct in Session ID because of
plus sign in user names (Windows AD / Samba4)
On 20-03-18 11:04, Stefan Baur wrote:
> Am 20.03.2018 um 10:56 schrieb Mihai Moldovan:
>> There are also problems with backslashes and other characters in user names.
>>
>> They originate from a new sanitization feature in X2Go Server that drops
>> characters not deemed suitable for a username.
>>
>> A plus sign might not be part of the allowed character set, which would
>> explain
>> this behavior.
>>
>> We've had such an discussion before and I'm still not completely sure what
>> to do
>> with it. It sounded like sanitization was a good idea at first, but seeing
>> it
>> causes problems often (well, for AD and NIS users only most of the time),
>> maybe
>> I should rework this and just accept any input.
>>
>>
>> Not sure if that is a smart idea, though.
> Maybe we could add a config variable X2GO_ALLOW_IN_USERNAME, so admins
> could adapt it to their needs, yet it wouldn't be our fault if they
> shoot themselves in the foot with it?
> Ship with a sane default (like we do now) and add a proper description
> in the comments, everything else is up to the admin.
>
> Kind Regards,
> Stefan Baur
Googling around a bit i think allowing just '\' and '+' would suffice.
A backslash is the default winbind separator *, and a plus sign very
common to use.
I didn't see any other characters used (yet), but making it a config
variable would indeed help for these rare cases and gives admins some
flexibility.
Best,
Joost
*
https://www.safaribooksonline.com/library/view/using-samba-second/0596002564/re300.html
_______________________________________________
x2go-dev mailing list
[email protected]
https://lists.x2go.org/listinfo/x2go-dev
---
DISCLAIMER: This e-mail is private and confidential and may contain proprietary
or legally privileged information. It is for the intended recipient only. If
you have received this email in error, please notify the author by replying to
it and then destroy it. If you are not the intended recipient you must not use,
disclose, distribute, copy, print or rely on this e-mail or any attachment.
Thank you
_______________________________________________
x2go-dev mailing list
[email protected]
https://lists.x2go.org/listinfo/x2go-dev
