samba - Oct 2004 - ADS valid users can't map share

Everything looks fine to me...

net ads info :

# net ads info
LDAP server: 199.42.192.103
LDAP server name: uscosddm001
Realm: EDSADDDM.DDM.APM.BPM.EDS.COM
Bind Path: dc=EDSADDDM,dc=DDM,dc=APM,dc=BPM,dc=EDS,dc=COM
LDAP port: 389
Server time: Tue, 12 Oct 2004 08:22:59 PST
KDC server: 199.42.192.103
Server time offset: 0

wbinfo -u :

# wbinfo -u | grep imguser
EDSADDDM+imguser

smb.conf :

# cat smb.conf
[global]

        workgroup = EDSADDDM
        realm = EDSADDDM.DDM.APM.BPM.EDS.COM

        server string = Maul Test Server

        log level = 2

        max log size = 100

        security = ADS

        local master = no

        os level = 0

        domain master = no

        preferred master = no

        wins server = 199.42.192.103
        dns proxy = no

        encrypt passwords = yes

        idmap uid = 60000-70000
        idmap gid = 80000-90000

        winbind enum users = yes
        winbind enum groups = yes

        winbind separator = +

        winbind use default domain = no

[space]
        comment = Space Partition Share
        path = /space
        writable = yes
        browsable = yes
        valid users = "EDSADDDM\imguser"


When I try to map \\maul\space from a Windows XP client, using
EDSADDDM\imguser as the user to map as, the username/password box just
keeps popping up, and I get the following messages in log.smbd :

[2004/10/12 08:25:33, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close all old resources.
[2004/10/12 08:25:33, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close all old resources.
[2004/10/12 08:25:33, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [imguser] -> [imguser]
-> [EDSADDDM+imguser] succeeded
[2004/10/12 08:25:33, 2] smbd/service.c:make_connection_snum(314)
  user 'EDSADDDM+imguser' (from session setup) not permitted to access
this share (space)
[2004/10/12 08:25:44, 2] smbd/server.c:exit_server(571)
  Closing connections



Any ideas?

Greg Adams wrote:
>        winbind separator = +
>
>        winbind use default domain = no
>
>[space]
>        comment = Space Partition Share
>        path = /space
>        writable = yes
>        browsable = yes
>        valid users = "EDSADDDM\imguser"
>  
>
Maybe it should be EDSADDDM+imguser ?
>Any ideas?
>  
>
Hope that helps.

Regards, Doug

Hi Jerry,

Yes, I do use the username map file with Samba 3.0.2a and the DOMAIN
security mode.

The Samba share is accessed by many workstations exporting data files (via a
background application) to it on a regular basis. There is no need to log on
the Samba box therefore all workstations are using the same Windows account
and this account is associated to a Unix one via the username map file.

I am trying to do the same with Samba 3.0.7 and the ADS security mode.

Note: Although it is up to the Samba team to determine the specifications of
the product, I do hope that the backward compatibility is kept as much as
possible.

Regards,

Marcello

-----Message d'origine-----
De : Gerald (Jerry) Carter [mailto:jerry@samba.org] 
Envoy? : mardi 19 octobre 2004 09:22
? : Igor Belyi
Cc : samba@lists.samba.org
Objet : Re: [Samba] Re: ADS valid users can't map share


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Igor Belyi wrote:
| Greg Adams wrote:
|
|> Yeah, that solved the problem for valid users. Thanks.
|>
|> However, I now have a different problem. The same kind
|> of logic should apply to the username map, right? But it doesn't seem 
|> to.
....
|> username.map:
|>
|> !grega = "EDSADDDM+imguser"
...
|> So... it appears that the username map is not using the domain 
|> information.
|
|
| I do believe it should... Could you provide 'log level = 10' from the
| moment 'EDSADDDM+imguser' logs in and till it creates a file? This  
| should be logs for the '!grega = "EDSADDDM+imguser"' line in
the map
| file.

I just checked on this and it looks like when you are a
domain member server, the username map honors the domain portion of the
username (on the LHS) when you authenticate using kerberos but not when
using NTLM.

Anyone besides me consider that a bug ?  However, changing behavior is
always risky.  Are there a lot of people utilizing a username map with with
a domain member server ?





cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot
(2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBdRUBIR7qMdg1EfYRAmkbAJ45YyG3OJgum55k22PuUyS6AClg4ACffl8J
PMkqLuDV4SGT1LQ4zByohK0=Lfl2
-----END PGP SIGNATURE-----
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba