Stephen Borrill
2005-Jan-06 14:39 UTC
[Samba] Administrator->root mapping not working on 3.0.10 (3.0.7 fine)
We are using samba 3 on NetBSD with security=domain authenticating against Windows 2003. We have a username map of "root = administrator". In all previous versions of samba tested (2.2.x and 3.0.x), this means when we log on as administrator, we have root access and see the root share. With 3.0.10, we are continually prompted for a password. Log from 3.0.7 below: [2005/01/06 14:25:58, 4] /usr/pkgsrc/net/samba/work/samba-3.0.7/source/lib/username.c:map_username(132) Scanning username map /usr/pkg/etc/samba/smbusers [2005/01/06 14:25:58, 3] /usr/pkgsrc/net/samba/work/samba-3.0.7/source/lib/username.c:map_username(173) Mapped user Administrator to root [2005/01/06 14:25:58, 3] /usr/pkgsrc/net/samba/work/samba-3.0.7/source/auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [DEMO]\[Administrator]@[APPSERVER] with the new password interface [2005/01/06 14:25:58, 3] /usr/pkgsrc/net/samba/work/samba-3.0.7/source/auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [DEMO]\[root]@[APPSERVER] [2005/01/06 14:25:58, 3] /usr/pkgsrc/net/samba/work/samba-3.0.7/source/auth/auth.c:check_ntlm_password(268) check_ntlm_password: winbind authentication for user [Administrator] succeeded [2005/01/06 14:25:58, 2] /usr/pkgsrc/net/samba/work/samba-3.0.7/source/auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [Administrator] -> [root] -> [root] succeeded Log from 3.0.10 below: [2005/01/06 14:30:27, 4] /usr/pkgsrc/net/samba/work/samba-3.0.10/source/lib/username.c:map_username(132) Scanning username map /usr/pkg/etc/samba/smbusers [2005/01/06 14:30:27, 3] /usr/pkgsrc/net/samba/work/samba-3.0.10/source/lib/username.c:map_username(173) Mapped user Administrator to root [2005/01/06 14:30:27, 3] /usr/pkgsrc/net/samba/work/samba-3.0.10/source/auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [DEMO]\[Administrator]@[APPSERVER] with the new password interface [2005/01/06 14:30:27, 3] /usr/pkgsrc/net/samba/work/samba-3.0.10/source/auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [DEMO]\[root]@[APPSERVER] [2005/01/06 14:30:27, 4] /usr/pkgsrc/net/samba/work/samba-3.0.10/source/lib/username.c:map_username(132) Scanning username map /usr/pkg/etc/samba/smbusers [2005/01/06 14:30:27, 3] /usr/pkgsrc/net/samba/work/samba-3.0.10/source/auth/auth_util.c:make_server_info_info3(1127) User root does not exist, trying to add it [2005/01/06 14:30:27, 0] /usr/pkgsrc/net/samba/work/samba-3.0.10/source/auth/auth_util.c:make_server_info_info3(1134) make_server_info_info3: pdb_init_sam failed! [2005/01/06 14:30:27, 2] /usr/pkgsrc/net/samba/work/samba-3.0.10/source/auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [Administrator] -> [root] FAILED with error NT_STATUS_NO_SUCH_USER [2005/01/06 14:30:27, 3] /usr/pkgsrc/net/samba/work/samba-3.0.10/source/smbd/process.c:timeout_processing(1336) timeout_processing: End of file from client (client has disconnected). [2005/01/06 14:30:27, 3] /usr/pkgsrc/net/samba/work/samba-3.0.10/source/smbd/connection.c:yield_connection(69) Yielding connection to [2005/01/06 14:30:27, 3] /usr/pkgsrc/net/samba/work/samba-3.0.10/source/smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. Any help appreciated. -- Stephen
Gerald (Jerry) Carter
2005-Jan-06 15:09 UTC
[Samba] Administrator->root mapping not working on 3.0.10 (3.0.7 fine)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Borrill wrote: | We are using samba 3 on NetBSD with security=domain | authenticating against Windows 2003. We have a username map | of "root = administrator". In all previous versions of | samba tested (2.2.x and 3.0.x), this means when we log on | as administrator, we have root access and see the root | share. With 3.0.10, we are continually prompted for a | password. ~From the 3.0.8 release notes (WHATSNEW.txt): Change in Winbindd Behavior - --------------------------- All usernames returned by winbindd are now converted to lower case for better consistency. This means any winbind installation relying on the winbind username will need to rename existing directories and/or files based on the username (%u and %U) to lower case (e.g. mv $name `echo $name | tr '[A-Z]' '[a-z]'`). This may include mail spool files, home directories, valid user lines in smb.conf, etc.... Change in Username Map - ---------------------- Previous Samba releases would only support reading the fully qualified username (e.g. DOMAIN\user) from the username map when performing a kerberos login from a client. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent behavior sometimes even on the same server. Samba 3.0.8 obeys the following rules when applying the username map functionality: ~ * When performing local authentication, the username map is ~ applied to the login name before attempting to authenticate ~ the connection. ~ * When relying upon a external domain controller for validating ~ authentication requests, smbd will apply the username map ~ to the fully qualified username (i.e. DOMAIN\user) only ~ after the user has been successfully authenticated. cheer,s jerry - --------------------------------------------------------------------- Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB3VRqIR7qMdg1EfYRAhzrAJ0WQHjXyclQ+4pHzCiw0ciEINXj0wCffEfL uhkQZxAG2eV9iI7530+YM1g=/46x -----END PGP SIGNATURE-----