Montenegro, Michael H (Michael)
2005-Dec-24 06:19 UTC
[Samba] 3.0.20 usermap script execution
I have created a mapusers.bash script (listed below) for mapping Active
Directory handles to unix logins. This script is currently working as
documented. I would like some insight into how and when this script gets
called. I assumed that upon establishing each samba connection, after the
active directory handle gets authenticated with the domain controller it passes
the domain\handle to this script to determine the unix login to use. However,
it seems to execute this script multiple times to establish a connection. I
have tested this out by clearing the cache using nbtstat -R on the client and
running smbstatus -u username and killing the procids then reconnecting. Samba
consistently will pass just the active directory handle without the domain first
which succeeds because my script will find the correct unix login to map to
without the domain. Immediately after, Samba will pass the script the
domain\handle which will also succeed. Why is this? Throughout the life of !
the connection it will continue to intermittently pass the active directory
handle without the domain.
Samba version 3.0.20
Configuration: ./configure --prefix=/opt/samba-3.0.20 --with-smbwrapper
--with-nis --with-quotas --with-syslog --with-included-popt
OS: Solaris 8
#!/bin/bash
if [ $1 ]
then
echo "$1" >> /tmp/mhm4in #line needed for debugging
#cut off the na0x\ part of input
na0xlogin=`echo "$1" | cut -d '\' -f2`
#search for a different unix login
unixlogin=`ypcat users.map | grep "\$na0xlogin$" | cut -d
' ' -f1`
if [[ $? = 0 && $unixlogin != "" ]]
then
#if unixlogin is in the users.map then return it
echo "$unixlogin"
echo "$unixlogin" >> /tmp/mhm4out #debugging
only
else
#find unixlogin in NIS passwd map then return it
unixlogin=`ypcat passwd | cut -d ':' -f1 | grep
^$na0xlogin$`
echo "$unixlogin"
echo "$unixlogin" >> /tmp/mhm4out #debugging
only
fi
# below if statement for debugging only
if [[ $unixlogin = "" ]]
then
#report to /tmp/mhm4error for any requests with no unix login
echo $na0xlogin >> /tmp/mhm4error #debugging only
fi
else
echo "You must enter a name to search."
exit 1
fi
smb.conf global section*********************
[global]
debug level = 3
security = domain
encrypt passwords = yes
password server = *
netbios name = server1
netbios aliases = server1 server1a
username map script = /opt/samba/lib/mapusers.bash
server string = %h (Samba %v)
workgroup = domain1
wins proxy = no
dns proxy = no
wins support = no
wins server = w.x.y.z
guest account = nobody
lock directory = /opt/samba/var/locks
browseable = no
create mask = 775
directory mask = 775
delete readonly = yes
name resolve order = wins lmhosts host bcast
case sensitive = no
preserve case = yes
short preserve case = yes
domain master = no
local master = no
preferred master = no
os level = 0
remote announce = w.x.y.255
log file = /opt/samba/var/%I.log
max log size = 1000
auto services = Unison
locking = yes
strict locking = no
dead time = 15
load printers = no
printing = sysv
lpq cache time = 0
map archive = no
read only = no
bind interfaces only = yes
interfaces = a.b.c.d
socket options = SO_KEEPALIVE
smb ports = 139
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Montenegro, Michael H (Michael) wrote:> I have created a mapusers.bash script (listed below) for > mapping Active Directory handles to unix logins. This > script is currently working as documented. I would like > some insight into how and when this script gets called. I > assumed that upon establishing each samba connection, after > the active directory handle gets authenticated with the domain > controller it passes the domain\handle to this script to > determine the unix login to use. However, it seems to > execute this script multiple times to establish a connection. > I have tested this out by clearing the cache using nbtstat > -R on the client and running smbstatus -u username and > killing the procids then reconnecting. Samba consistently > will pass just the active directory handle without the > domain first which succeeds because my script will find the > correct unix login to map to without the domain. Immediately > after, Samba will pass the script the domain\handle which will > also succeed. Why is this?grep for map_username() in the samba source tree. Everytime that function get's called, you script will be called assuming smbd is trying to map a new name. Samba has to jump through a lot of hoops when is comes to usernames which is why it frequently tries to lookup the unqualified name as well as the fully qualified version. cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org Centeris ----------- http://www.centeris.com "There's an anonymous coward in all of us." --anonymous -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDvDpuIR7qMdg1EfYRAsorAJ9jbdCKsGpMvd4XUPIsVtCBy5OYwACgjLlY fuXBc+g9F2UquvQMsHtGz34=CQZ8 -----END PGP SIGNATURE-----
Montenegro, Michael H (Michael)
2006-Jan-08 00:36 UTC
[Samba] 3.0.20 usermap script execution
Thanks for your reply Jerry.
After reviewing the code, it seems like samba is sending both the unqualified
name as well as the fully qualified name to address backwards compatibility.
Looking at the release notes from 3.0.8, I see that development decided to
"only support reading the fully qualified username" for consistency
with Kerberos. Therefore, user.maps should contain unix login to fully qualified
user name mappings only. I believe if the code was changed to only pass the
fully qualified username to the username map script, it should not affect any
functionality since the user.map is already being forced to be in the fully
qualified domain format.
Michael Montenegro
P.S. "canonicalize" sounds made up. :^)
lib/username.c
/*******************************************************************
Map a username from a dos name to a unix name by looking in the username
map. Note that this modifies the name in place.
This is the main function that should be called *once* on
any incoming or new username - in order to canonicalize the name.
This is being done to de-couple the case conversions from the user mapping
function. Previously, the map_username was being called
every time Get_Pwnam was called.
Returns True if username was changed, false otherwise.
********************************************************************/
Samba 3.0.8 release notes:
=====================Change in Username Map
=====================
Previous Samba releases would only support reading the fully qualified
username (e.g. DOMAIN\user) from the username map when performing a
kerberos login from a client. However, when looking up a map
entry for a user authenticated by NTLM[SSP], only the login name would be
used for matches. This resulted in inconsistent behavior sometimes
even on the same server.
Samba 3.0.8 obeys the following rules when applying the username
map functionality:
* When performing local authentication, the username map is
applied to the login name before attempting to authenticate
the connection.
* When relying upon a external domain controller for validating
authentication requests, smbd will apply the username map
to the fully qualified username (i.e. DOMAIN\user) only
after the user has been successfully authenticated.
-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry@samba.org]
Sent: Wednesday, January 04, 2006 3:13 PM
To: Montenegro, Michael H (Michael)
Cc: 'samba@lists.samba.org'
Subject: Re: [Samba] 3.0.20 usermap script execution
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Montenegro, Michael H (Michael) wrote:> I have created a mapusers.bash script (listed below) for
> mapping Active Directory handles to unix logins. This
> script is currently working as documented. I would like
> some insight into how and when this script gets called. I
> assumed that upon establishing each samba connection, after
> the active directory handle gets authenticated with the domain
> controller it passes the domain\handle to this script to
> determine the unix login to use. However, it seems to
> execute this script multiple times to establish a connection.
> I have tested this out by clearing the cache using nbtstat
> -R on the client and running smbstatus -u username and
> killing the procids then reconnecting. Samba consistently
> will pass just the active directory handle without the
> domain first which succeeds because my script will find the
> correct unix login to map to without the domain. Immediately
> after, Samba will pass the script the domain\handle which will
> also succeed. Why is this?
grep for map_username() in the samba source tree. Everytime
that function get's called, you script will be called assuming
smbd is trying to map a new name. Samba has to jump through a
lot of hoops when is comes to usernames which is why it
frequently tries to lookup the unqualified name as well as the
fully qualified version.
cheers, jerry
====================================================================Alleviating
the pain of Windows(tm) ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"There's an anonymous coward in all of us."
--anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDvDpuIR7qMdg1EfYRAsorAJ9jbdCKsGpMvd4XUPIsVtCBy5OYwACgjLlY
fuXBc+g9F2UquvQMsHtGz34=CQZ8
-----END PGP SIGNATURE-----