samba - Oct 2003 - $ in domain name, Samba 2.2.8a

Hi

I recently upgraded samba to 2.2.8a on a Solaris 8 server. Previously we
were running an older version on Solaris 2.6. I am using domain security to
authenticate users to an NT based PDC, and have a username map for matching
Windows usernames to Unix usernames.

The problem I'm having is that users in the same domain as the Solaris
server are authenticating fine, but users in a domain trusted by that domain
are not authenticating. For example, if the local domain is DOMB and the
trusted domain with the dollar sign is $DOMA, in my smb log I see:

domain_client_validate: unable to validate password for user FOO in domain
_DOMA to Domain controller *. Error was NT_STATUS_NO_SUCH_USER.

It looks to me like the $ in $DOMA is being mapped to an underscore
("_DOMA"), and I'm guessing that the PDC is being asked to
validate a user
in a domain "_DOMA" that it knows nothing about. Or perhaps this is a
red
herring, and the $ is preserved in the smb communication but just not in my
log file.

I didn't have this problem under the older samba version I was running (also
using domain security and our NT based PDC). Any ideas?


Best Regards,

Colin Stuckless


                         ********************

This email communication is intended as a private communication for the sole
use of the primary addressee and those individuals listed for copies in the
original message. The information contained in this email is private and
confidential and if you are not an intended recipient you are hereby
notified that copying, forwarding or other dissemination or distribution of
this communication by any means is prohibited.  If you are not specifically
authorized to receive this email and if you believe that you received it in
error please notify the original sender immediately.  We honour similar
requests relating to the privacy of email communications.

Cette communication par courrier ?lectronique est une communication priv?e ?
l'usage exclusif du destinataire principal ainsi que des personnes dont les
noms figurent en copie.  Les renseignements contenus dans ce courriel sont
confidentiels et si vous n'?tes pas le destinataire pr?vu, vous ?tes avis?,
par les pr?sentes que toute reproduction, tout transfert ou toute autre
forme de diffusion de cette communication par quelque moyen que ce soit est
interdit.  Si vous n'?tes pas sp?cifiquement autoris? ? recevoir ce courriel
ou si vous croyez l'avoir re?u par erreur, veuillez en aviser
l'exp?diteur
original imm?diatement.  Nous respectons les demandes similaires qui
touchent la confidentialit? des communications par courrier ?lectronique.

> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
> Sent: Wednesday, October 01, 2003 11:49 AM
> To: Stuckless, Colin 709 778-3815
> Cc: Andrew Bartlett; 'samba@lists.samba.org'
> Subject: Re: [Samba] $ in domain name, Samba 2.2.8a
> 
> Andrew Bartlett wrote:
> 
> | Yes, we are stripping it out for security reasons.  The 
> problem is when
> | people use %U and %D macros in their smb.conf - particularly for
> | logfiles - we got bitten when %m was allowed to contain ../../, and
> | cracked down on it.
> |
> | I think Samba 3.0 allows this again, as I've gone over the 
> codepaths,
> | and am happy with our verification (against the known list 
> of trusted
> | domains etc).
> 
> Colin,
> 
> Here's a patch that should fix things for you.
> 
> 
> 
> cheers, jerry

Jerry, Andrew - 

I just wanted to close the loop on this one. Your 
suggestions/patches worked for us, users in our domain 
with a $ in it are again able to authenticate and access 
their Unix files with samba 2.2.8a. Thanks for the 
timely and accurate advice.


Colin Stuckless 
cstuckless@petro-canada.ca
Unix/G&G Support Specialist




                         ********************

This email communication is intended as a private communication for the sole
use of the primary addressee and those individuals listed for copies in the
original message. The information contained in this email is private and
confidential and if you are not an intended recipient you are hereby
notified that copying, forwarding or other dissemination or distribution of
this communication by any means is prohibited.  If you are not specifically
authorized to receive this email and if you believe that you received it in
error please notify the original sender immediately.  We honour similar
requests relating to the privacy of email communications.

Cette communication par courrier ?lectronique est une communication priv?e ?
l'usage exclusif du destinataire principal ainsi que des personnes dont les
noms figurent en copie.  Les renseignements contenus dans ce courriel sont
confidentiels et si vous n'?tes pas le destinataire pr?vu, vous ?tes avis?,
par les pr?sentes que toute reproduction, tout transfert ou toute autre
forme de diffusion de cette communication par quelque moyen que ce soit est
interdit.  Si vous n'?tes pas sp?cifiquement autoris? ? recevoir ce courriel
ou si vous croyez l'avoir re?u par erreur, veuillez en aviser
l'exp?diteur
original imm?diatement.  Nous respectons les demandes similaires qui
touchent la confidentialit? des communications par courrier ?lectronique.