samba - Aug 2006 - Strange Usermapping problem with 3.0.23b

Yesterday evening I upgraded my FreeBSD 5.5-RELEASE Server from Samba 
3.0.22 to 3.0.23. This gave me a LOT of work today... :-(

This is what I found so far:

My Samba-Server is member of a large ADS-Domain. After the upgrade, 
file based Usermapping didn't work anymore... better: it worked TWICE. 
(I once opened a PR for that a few years ago :-). So, with LogLevel 3:

<DOMAIN>\<WinUser> is mapped to <UnixUser>
<DOMAIN>\<UnixUser> is mapped to <DefaultUser>

(I have a line "<DefaultUser> = *" in my
'smbusers.map'-file)

These two lines are immediately following each other, no other log 
lines in between...

I said this happens on 3.0.23, I verified the same behaviour on 3.0.23b 
as well.

The very strange thing (at least for me :-) is, that somehow it seems 
to be dependend from the name resolution (I have 'wins host bcast' in 
my smb.conf):

If I address the Sambaserver with its WINSname (\\SambaServer), 
usermapping happens TWICE.

If I use its IP-Address, usermapping happens ONCE (i.e. correctly).

If I use the DNS-Name of the AD-Domain (\\sambaserver.ad.company.com), 
usermapping happens TWICE.

If I use another DNS-Domain (\\sambaserver.location.company.de), 
usermapping happens ONCE (i.e. correctly).

I found this more or less by accident, fortunately I'm DNS-Admin of 
'location.company.de' :-) so I could try a different DNS-Name...

Somehow it seems to me, that the DomainController submits some strange 
informations which irritates my SambaServer...

Needless to say that this didn't occur with samba-3.0.22. It doesn't 
occur on another large ADS-Domain either (where I had my Test-Machine), 
but this is of no use for me, I cannot switch the Domain the server is 
in... :-(

Any Ideas anybody? Some other test to narrow he error down? I'm willing 
to cooperate as much as possible, the Samba-Server has >100 productive 
users...

Thanks in advance - Matthew

-- 
Ciao/BSD - Matthias

Matthias Schuendehuette <msch [at] snafu.de>, Berlin (Germany)
PGP-Key at <pgp.mit.edu> and <wwwkeys.de.pgp.net> ID: 0xDDFB0A5F

Hi,

here some further informations:

I compared the logfiles of a working and a non-working session and 
found differences immediatly before the usermapping occurs:

in the non-working session:

[2006/08/18 15:12:29, 3] 
libads/kerberos_verify.c:ads_secrets_verify_ticket(261)
  ads_secrets_verify_ticket: enc type [1] failed to decrypt with error 
Message size is incompatible with encryption type
[2006/08/18 15:12:29, 3] 
libads/kerberos_verify.c:ads_secrets_verify_ticket(261)
  ads_secrets_verify_ticket: enc type [3] failed to decrypt with error 
Message size is incompatible with encryption type
[2006/08/18 15:12:29, 3] smbd/sesssetup.c:reply_spnego_kerberos(207)
  Ticket name is [SchuendeMa@WW004.SIEMENS.NET]
[2006/08/18 15:12:29, 3] smbd/map_username.c:map_username(155)
  Mapped user WW004\SchuendeMa to matthias
[2006/08/18 15:12:29, 3] smbd/map_username.c:map_username(155)
  Mapped user WW004\matthias to smb



In the working session, this 'failure to decrypt' does not occur and 
the name of my workstaton is correctly detected:

[2006/08/18 15:10:56, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672)
  Got user=[SchuendeMa] domain=[WW004] workstation=[B10R622C] len1=24 len2=24


So why does this decryption work if I use the IP-Address of the server 
or a non-AD DNS-name and fail if I use the WINS- or AD-DNS name?

-- 
Ciao/BSD - Matthias

Matthias Schuendehuette <msch [at] snafu.de>, Berlin (Germany)
PGP-Key at <pgp.mit.edu> and <wwwkeys.de.pgp.net> ID: 0xDDFB0A5F

On Sat, Aug 19, 2006 at 09:33:44AM +0200, Matthias Sch?ndeh?tte
wrote:
> So why does this decryption work if I use the IP-Address of the server 
> or a non-AD DNS-name and fail if I use the WINS- or AD-DNS name?
Your Kerberos setup for some reason is broken. If you use
the IP address or a cname then the client falls back to
ntlmssp.

What Unix and Kerberos do you use?

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20060819/39b5ad04/attachment.bin

What can we do if we have the 3.0.0.23c version already as far as the patch
goes?
 
 
David Shapiro
Distributed Systems
Unix Team Lead
office: 919-765-2011
cellphone: 730-0538
>>> "Gerald (Jerry) Carter" <jerry@samba.org> 8/23/2006
3:10 PM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthias Sch?ndeh?tte wrote:
> Hi Jerry,
> 
> On 2006-08-21 23:09:05 +0200, "Gerald (Jerry) Carter"
<jerry@samba.org>
> said:
> 
>> Does your username map use a ! to stop the parsing.
>> See the man page for details.
> 
> Sure! Your question made me uncertain since this could be a typical
> mistake for quick 'n dirty test setups, but I rechecked today: The
> exclamation marks are all there.
> 
> I found today another problem: Samba denied a usermapping with the
> message that a domaingroup with the same name exists... nice to know but
> who cares? If I want to access local unix files with the account
'foo',
> what does it matter if there is a windows domain group 'foo'?
> 
> I downgraded my production server to 3.0.22 today, but I have now a
> complete identical testserver (same os, same net, same hardware) to
> track down this misbehaviour.
In that case, would you test this patch against 3.0.23b?
http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-1.diffs.gz



Thanks, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7KhAIR7qMdg1EfYRAqeJAKCGOZPtL3qpErb+I/jjM0RqiAV35gCZAZc6
QIGQHNe/UCp1HMDYrD2Rnh0=LP6d
-----END PGP SIGNATURE-----
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Shapiro wrote:
> What can we do if we have the 3.0.0.23c 
> version already as far as the patch goes?
I doubt any one has the full patch.  This includes
some changes I made last night at 9pm GMT-6 as well
as all the other svn commits to the SAMBA_3_0_23
branch post 3.0.23b.




cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7LsAIR7qMdg1EfYRAoSkAKCD8r+JEoer3C0LbznWaW7J9NBqCACfeiey
t957IfA2IEVQAgzgRaeAY9c=ut+V
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthias Sch?ndeh?tte wrote:
> Hi Jerry,
> 
> On 2006-08-23 21:10:56 +0200, "Gerald (Jerry) Carter"
<jerry@samba.org>
> said:
> 
>> In that case, would you test this patch against 3.0.23b?
>> http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-1.diffs.gz
> 
> tried today - same problems. Sorry for that, but 
> the usermapping still happens twice...
ok.  Send me your username/map, smb.conf and a full level
10 debug log from smbd off list.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7cUMIR7qMdg1EfYRAoZaAKC/IQzD2+ejU42GBLfvGjWP9SHSAQCcDkrY
ADqaCCZjO2YEpW3b5LT5/5g=LooN
-----END PGP SIGNATURE-----

This link to the patch location does not work.
 
David
 
David Shapiro
Distributed Systems
Unix Team Lead
office: 919-765-2011
cellphone: 730-0538
>>> "Guillermo Gutierrez" <ggutierrez@marketscan.com>
8/23/2006 6:28 PM
>>>
    "In that case, would you test this patch against 3.0.23b?
    
http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-1.diffs.gz"

Hello,  Iwas trying to apply this patch from Jerry but I don't have
any
luck doing so.

how would one apply this patch? It is not a .patch file.

I am rather new at this and when I tried to follow the directions on
http://samba.org/samba/patches/ but couldn't get it to work.

It just gives me that message "Hmmm...I can't seem to find a patch in
there anywhere".


These are the commands that I tried to use on my freebsd-6.1 system
running samba-3.0.23b:

"patch < patch-3.0.23b-3.0.23c-gwc-1.diffs.gz"

And 

"patch -pl < patch-3.0.23b-3.0.23c-gwc-1.diffs.gz"

Thanks in advance for any help.

Guillermo Gutierrez

Not sure.  It gave a url not found before.  Now it works.
 
David
 
David Shapiro
Distributed Systems
Unix Team Lead
office: 919-765-2011
cellphone: 730-0538
>>> "Gerald (Jerry) Carter" <jerry@samba.org> 8/24/2006
1:27 PM >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Shapiro wrote:
> This link to the patch location does not work.
> http://samba.org/~jerry/patches/patch-3.0.23b-3.0.23c-gwc-1.diffs.gz
What doesn't work ? I just verified the URL is valid.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7eF3IR7qMdg1EfYRAujqAKDOBaguJeL4NXnquOd6NehcS33QkgCfUk0U
4iYDkS+SPuI2Tajrlb43Kqw=DlXz
-----END PGP SIGNATURE-----
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello List,

Yesterday evening I upgraded my FreeBSD 5.5-RELEASE Server from Samba  
3.0.22 to 3.0.23. This gave me a LOT of work today... :-(

This is what I found so far:

My Samba-Server is member of a large ADS-Domain. After the upgrade,  
file based Usermapping didn't work anymore... better: it worked  
TWICE. (I once opened a PR for that a few years ago :-). So, with  
LogLevel 3:

<DOMAIN>\<WinUser> is mapped to <UnixUser>
<DOMAIN>\<UnixUser> is mapped to <DefaultUser>

(I have a line "<DefaultUser> = *" in my
'smbusers.map'-file)

These two lines are immediately following each other, no other log  
lines in between...

I said this happens on 3.0.23, I verified the same behaviour on  
3.0.23b as well.

The very strange thing (at least for me :-) is, that somehow it seems  
to be dependend from the name resolution (I have 'wins host bcast' in  
my smb.conf):

If I address the Sambaserver with its WINSname (\\SambaServer),  
usermapping happens TWICE.

If I use its IP-Address, usermapping happens ONCE (i.e. correctly).

If I use the DNS-Name of the AD-Domain (\ 
\sambaserver.ad.company.com), usermapping happens TWICE.

If I use another DNS-Domain (\\sambaserver.location.company.de),  
usermapping happens ONCE (i.e. correctly).

I found this more or less by accident, fortunately I'm DNS-Admin of  
'location.company.de' :-) so I could try a different DNS-Name...

Somehow it seems to me, that the DomainController submits some  
strange informations which irritates my SambaServer...

Needless to say that this didn't occur with samba-3.0.22. It doesn't  
occur on another large ADS-Domain either (where I had my Test- 
Machine), but this is of no use for me, I cannot switch the Domain  
the server is in... :-(

Any Ideas anybody? Some other test to narrow he error down? I'm  
willing to cooperate as much as possible, the Samba-Server has >100  
productive users...

Thanks in advance - Matthew

- -- 
Ciao/BSD - Matthias

Matthias Schuendehuette    <msch [at] snafu.de>, Berlin (Germany)
PGP-Key at <pgp.mit.edu> and <wwwkeys.de.pgp.net> ID: 0xDDFB0A5F

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFE5MZTf1BNcN37Cl8RAsMaAJ9O2AAXFiY9CednWmyk9pMt42gKPgCfQ6O4
mAyXW04EuITOUvGr9J2O7VU=9f0z
-----END PGP SIGNATURE-----