samba - Aug 2005 - Username.map works in 2.2.8a, doesn't work in 3.0.14a

I'm a bit puzzled. I am able to map an account without any problem on
Samba 2.2.8a (security=domain). However, access fails with Samba
3.0.14a when everything else is the same (same configuration files).

Any advice as to the cause of the problems (and its solution) would be
appreciated.

>From 2.2.8a logs
[2005/08/24 14:59:51, 3, pid=7767] smbd/reply.c:(880)
  Domain=[americase]  NativeOS=[Windows 2002 Service Pack 2 2600]
NativeLanMan=[Windows 2002 5.1]
[2005/08/24 14:59:51, 3, pid=7767] smbd/reply.c:(890)
  sesssetupX:name=[pnmadm09]
[2005/08/24 14:59:51, 3, pid=7767] lib/username.c:(168)
  Mapped user pnmadm09 to pnmadm
[2005/08/24 14:59:51, 3, pid=7767] libsmb/namequery.c:(769)
  resolve_lmhosts: Attempting lmhosts lookup for name ZRTPD0PP<0x20>
[2005/08/24 14:59:51, 3, pid=7767] lib/util_sock.c:(845)
  Connecting to 47.140.205.113 at port 445

[2005/08/24 14:59:52, 3, pid=7767] smbd/password.c:(340)
  User name: pnmadm     Real name: PNM Admin,PSD17792

[2005/08/24 14:59:52, 3, pid=7767] smbd/password.c:(736)
  authorise_login: ACCEPTED: validated uid ok as non-guest (user=pnmadm)

[2005/08/24 14:59:52, 1, pid=7767] smbd/service.c:(636)
  boehm-1 (47.143.20.49) connect to service export as user pnmadm (uid=34344,
gid=4794) (pid 7767)

>From 3.0.14a logs
[2005/08/24 15:09:11, 3, pid=10515] libsmb/ntlmssp.c:(606)
  Got user=[pnmadm09] domain=[americase] workstation=[BOEHM-1] len1=24 len2=24
[2005/08/24 15:09:11, 3, pid=10515] lib/username.c:(173)
  Mapped user pnmadm09 to pnmadm

[2005/08/24 15:09:11, 3, pid=10515] auth/auth.c:(219)
  check_ntlm_password:  Checking password for unmapped user
[americase]\[pnmadm09]@[BOEHM-1] with the new password interface
[2005/08/24 15:09:11, 3, pid=10515] auth/auth.c:(222)
  check_ntlm_password:  mapped user is: [americase]\[pnmadm]@[BOEHM-1]

[2005/08/24 15:09:11, 0, pid=10515] auth/auth_domain.c:(118)
  connect_to_domain_password_server: unable to setup the NETLOGON credentials to
machine ZRTPD0PP. Error was : NT_STATUS_ACCESS_DENIED.
[2005/08/24 15:09:11, 3, pid=10515] libsmb/cliconnect.c:(1406)
  Connecting to host=ZRTPD0PP
[2005/08/24 15:09:11, 3, pid=10515] lib/util_sock.c:(752)
  Connecting to 47.140.205.113 at port 445
[2005/08/24 15:09:11, 3, pid=10515] rpc_client/cli_netlogon.c:(290)
  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2005/08/24 15:09:11, 0, pid=10515] auth/auth_domain.c:(118)
  connect_to_domain_password_server: unable to setup the NETLOGON credentials to
machine ZRTPD0PP. Error was : NT_STATUS_ACCESS_DENIED.
[2005/08/24 15:09:11, 3, pid=10515] libsmb/cliconnect.c:(1406)
  Connecting to host=ZRTPD0PP
[2005/08/24 15:09:11, 3, pid=10515] lib/util_sock.c:(752)
  Connecting to 47.140.205.113 at port 445
[2005/08/24 15:09:11, 3, pid=10515] rpc_client/cli_netlogon.c:(290)
  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2005/08/24 15:09:11, 0, pid=10515] auth/auth_domain.c:(118)
  connect_to_domain_password_server: unable to setup the NETLOGON credentials to
machine ZRTPD0PP. Error was : NT_STATUS_ACCESS_DENIED.
[2005/08/24 15:09:11, 0, pid=10515] auth/auth_domain.c:(170)
  domain_client_validate: Domain password server not available.
[2005/08/24 15:09:11, 2, pid=10515] auth/auth.c:(312)
  check_ntlm_password:  Authentication for user [pnmadm09] -> [pnmadm] FAILED
wi
th error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2005/08/24 15:09:21, 3, pid=105

-- 
Eric M. Boehm                  /"\  ASCII Ribbon Campaign
boehm@nortel.com               \ /  No HTML or RTF in mail
                                X   No proprietary word-processing
Respect Open Standards         / \  files in mail

On Wed, Aug 24, 2005 at 03:26:23PM -0400, Boehm, Eric [GWRTP:CM21:EXCH]
wrote:
>>>>> "Eric" == Boehm, Eric [GWRTP:CM21:EXCH]
<Boehm> writes:
    Eric> I'm a bit puzzled. I am able to map an account without any
    Eric> problem on Samba 2.2.8a (security=domain). However, access
    Eric> fails with Samba 3.0.14a when everything else is the same
    Eric> (same configuration files).

    Eric> Any advice as to the cause of the problems (and its
    Eric> solution) would be appreciated.

I'll follow up and answer my own question. The problem is that I
didn't understand the Release notes for 3.0.8

  =====================  Change in Username Map
  =====================
  Previous Samba releases would only support reading the fully qualified
  username (e.g. DOMAIN\user) from the username map when performing a
  kerberos login from a client.  However, when looking up a map
  entry for a user authenticated by NTLM[SSP], only the login name would be
  used for matches.  This resulted in inconsistent behavior sometimes
  even on the same server.

  Samba 3.0.8 obeys the following rules when applying the username
  map functionality:

    * When performing local authentication, the username map is
      applied to the login name before attempting to authenticate
      the connection.
    * When relying upon a external domain controller for validating
      authentication requests, smbd will apply the username map
      to the fully qualified username (i.e. DOMAIN\user) only
      after the user has been successfully authenticated.

Previously, I had used

unix_user = windows_user

After reading the notes above, I tried

DOMAIN\unix_user = windows_user

I should have used (and this did work)

unix_user = DOMAIN\windows_user

-- 
Eric M. Boehm                  /"\  ASCII Ribbon Campaign
boehm@nortel.com               \ /  No HTML or RTF in mail
                                X   No proprietary word-processing
Respect Open Standards         / \  files in mail