Jeroen Vogelpoel
2004-Jun-16 13:42 UTC
[Samba] Erronous username character substitution ( %u )
Good day,
I'm having a few problems with Samba 3.0.2a, specifically involving the
username character substitute, %u. For some reason, Samba resolves the
%u character wrongly when used in the "path" parameter, where it
resolves it as the guest account. However, the server in question has
"map to guest" set to never and both "guest ok" and
"guest only" set to
0. The odd thing is, however, that the %u substitution in the
"comment"
parameter is resolves correctly to the username, showing a comment as
expected with the mapped username. However, the logs show that even
though the user is mapped and then authenticated correctly, it still
connects to the share as a guest user. The question is, how do I get
Samba to properly connect to the share with the authenticated username
instead of the guest account? Also, given the configuration given below,
I should be unable to access the "nico" share, because my win2k
username
maps to jeroen. Samba connects me as the guest user again, giving me
access to the share, even after I added "invalid users = nobody" as a
test. Following are a few testparm dumps ( only modified parameters )
and the relevant log entries:
*** `testparm -L Websites` dump
[global]
workgroup = ECHELONPROJECT
netbios aliases = Administration, Websites
server string = Samba %v ( %L )
username map = /etc/samba/smbusers
log level = 2
log file = /var/log/samba3/samba.%m
deadtime = 120
socket options = IPTOS_LOWDELAY TCP_NODELAY
comment = "Shared directory at %L"
hosts allow = 192.168.0.0/24
include = /etc/samba/includes/websites.shares
[jeroen]
path = /home/jeroen/public_html
valid users = jeroen
read only = No
create mask = 0755
[nico]
path = /home/nico/public_html
valid users = nico
read only = No
create mask = 0755
[website]
comment = "%u's website"
path = /home/%u/public_html
read only = No
create mask = 0755
( Default values such as security = user have been left out. )
*** Log entries
[2004/06/16 15:14:40, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [Jeroen Vogelpoel] ->
[jeroen] -> [jeroen] succeeded
[2004/06/16 15:14:40, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.2)
[2004/06/16 15:14:41, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.2)
[2004/06/16 15:14:41, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.2)
[2004/06/16 15:14:41, 1] smbd/service.c:make_connection_snum(705)
terra (192.168.0.2) connect to service jeroen initially as user
nobody (uid=65534, gid=65534) (pid 19841)
[2004/06/16 15:14:44, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.0.2)
[2004/06/16 15:14:44, 0] smbd/service.c:make_connection_snum(677)
'/home/nobody/public_html' does not exist or is not a directory, when
connecting to [website]
Have you tried with %U (not %u)? I have not tried this, but apparently it is the session username (ie requested username, not necessarily the given username). Jeroen Vogelpoel wrote:> Good day, > > I'm having a few problems with Samba 3.0.2a, specifically involving > the username character substitute, %u. For some reason, Samba resolves > the %u character wrongly when used in the "path" parameter, where it > resolves it as the guest account. However, the server in question has > "map to guest" set to never and both "guest ok" and "guest only" set > to 0. The odd thing is, however, that the %u substitution in the > "comment" parameter is resolves correctly to the username, showing a > comment as expected with the mapped username. However, the logs show > that even though the user is mapped and then authenticated correctly, > it still connects to the share as a guest user. The question is, how > do I get Samba to properly connect to the share with the authenticated > username instead of the guest account? Also, given the configuration > given below, I should be unable to access the "nico" share, because my > win2k username maps to jeroen. Samba connects me as the guest user > again, giving me access to the share, even after I added "invalid > users = nobody" as a test. Following are a few testparm dumps ( only > modified parameters ) and the relevant log entries: > > *** `testparm -L Websites` dump > > [global] > workgroup = ECHELONPROJECT > netbios aliases = Administration, Websites > server string = Samba %v ( %L ) > username map = /etc/samba/smbusers > log level = 2 > log file = /var/log/samba3/samba.%m > deadtime = 120 > socket options = IPTOS_LOWDELAY TCP_NODELAY > comment = "Shared directory at %L" > hosts allow = 192.168.0.0/24 > include = /etc/samba/includes/websites.shares > > [jeroen] > path = /home/jeroen/public_html > valid users = jeroen > read only = No > create mask = 0755 > > [nico] > path = /home/nico/public_html > valid users = nico > read only = No > create mask = 0755 > > [website] > comment = "%u's website" > path = /home/%u/public_html > read only = No > create mask = 0755 > > ( Default values such as security = user have been left out. ) > > *** Log entries > > [2004/06/16 15:14:40, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [Jeroen Vogelpoel] -> > [jeroen] -> [jeroen] succeeded > [2004/06/16 15:14:40, 2] lib/access.c:check_access(324) > Allowed connection from (192.168.0.2) > [2004/06/16 15:14:41, 2] lib/access.c:check_access(324) > Allowed connection from (192.168.0.2) > [2004/06/16 15:14:41, 2] lib/access.c:check_access(324) > Allowed connection from (192.168.0.2) > [2004/06/16 15:14:41, 1] smbd/service.c:make_connection_snum(705) > terra (192.168.0.2) connect to service jeroen initially as user > nobody (uid=65534, gid=65534) (pid 19841) > [2004/06/16 15:14:44, 2] lib/access.c:check_access(324) > Allowed connection from (192.168.0.2) > [2004/06/16 15:14:44, 0] smbd/service.c:make_connection_snum(677) > '/home/nobody/public_html' does not exist or is not a directory, > when connecting to [website]