samba - Dec 2011 - Practicality of fixing samba's case mangling problems?

Samba has multiple areas of case mangling problems that cause 
incompatibilities
when used with windows or linux clients.

How viable is the idea of fixing the problems?  Would the sky fall in if 
it preserved case, but
either 'ignored it', or gave preference to matches that included the 
case as typed (vs. alternate case
matches). 

The first would be fairly compatible with current Win implementation, 
but the 2nd would be
more compatible when it comes to looking for Domain (and _likely_, 
machine names).

I've looked at the traffic in an attempted join of workstation
'Athenae'
into 'Bliss',
which has had it's case mangled by samba3.

Dialogue goes something like:

Workstation 'Athenae' broacasts:  I want a login user="" to
domain Bliss.
(a query for a login server, I would gather.


PDC 'Ishtar' (samba3 on *nix), responds this login request, "there
is no
user "" here.
Athenae then responses with login request for Athenae to 'Bliss' with
marked
as a machine /domain trust account.

It doesnt' send a username, but a unicodename, as domain names can be 
unicode
and upper/lowercase.  Response from Bliss is 'Accepted/ok'.

Athenae now asks for the PDC so it can create a secure channel.  It gets 
back
ISHTAR/BLISS.  Win7 doesn't like that. 

It asked for Bliss, a Domain name, and got back BLISS, a WORKGROUP name.

So it issues a weird error message in the middle of it all and fails.

Similar problems happen in serving up a user's profile. under the Domain 
name.

On linux, a path /home/BLISS, doesn't give you the same path as 
/home/Bliss,
nor does 'x'/Domain Admins get take on linux for 'x/domain
admins'... so
logins
don't work unless the case matches. 

I've tried many kludge arounds, including symlinks for the differently 
cased options,
as well as multiple entries for the same user in /etc/passwd -- 
something that
causes random behavior depending on how many items are in a cache, it's 
size and
who referenced which varient when.

As near as I can tell, this change started with Win2000, and use of port 
445 when
names larger than the Netbios len of 15 chars were allowed (beause names 
passed over
445, aren't required to be netbios compatible.



FWIW, I've seen both BLISS and Bliss on my local net as a workgroup and 
a Domain
and they have different icons.  Since Samba started supporting port 445 
speak, it seems
like it also, perhaps unwittingly undertaken to support case preservation. 

The alternative is to keep case mangling but only speak on ports 
138/139...etc,
but to, which I think would work as samba was originally designed, but 
as soon as
features of NT5 were grafted on, samba ran the risk of incompats.


How can we move forward and get this fixed?




Thanks,
Linda

Christopher R. Hertel wrote:
> Linda,
>
> If you have filed a bugzilla report,
Date            Title                                                    
   
2011-07-27   *Bug 8325* 
<https://bugzilla.samba.org/show_bug.cgi?id=8325> - WINS should no 
longer be changing 'case' on hostnames' inconsistent with domain
practice
2011-08-17    *Bug 8380* 
<https://bugzilla.samba.org/show_bug.cgi?id=8380> - Samba needs to 
preserve casename on user/group/host to be MS-compat (all versions)
2011-08-29   *Bug 8417* 
<https://bugzilla.samba.org/show_bug.cgi?id=8417> - Samba needs to not 
mess with case of domain and host names
2011-09-05   *Bug 8435* 
<https://bugzilla.samba.org/show_bug.cgi?id=8435> - NMBD altering case 
of file names causes other subsystems to fail.


 --- I've filed a few.
> ... and can identify the code that needs review, that would help.
Well, that's why I'm whining in public... it's a bit too much for me
to
handle:

The files (just looked at samba3 code):

./auth/auth_builtin.c
./auth/auth_server.c
./auth/auth_util.c
- ./auth/pampass.c
- ./auth/pass_check.c
./client/client.c
?./client/clitar.c
./include/includes.h
./include/proto.h
./lib/afs.c
-./lib/charcnv.c
./lib/eventlog/eventlog.c
./lib/substitute.c
./lib/username.c
./lib/util.c
-./lib/util_str.c
-./lib/util_unistr.c
./libads/ads_struct.c
./libads/dns.c
./libads/kerberos.c
./libads/kerberos_keytab.c
./libads/kerberos_verify.c
./libads/ldap.c
./libads/util.c
./libnet/libnet_join.c
./libsmb/cliconnect.c
./libsmb/clifsinfo.c
./libsmb/clirap.c
./libsmb/clirap2.c
./libsmb/dsgetdcname.c
./libsmb/namecache.c
./libsmb/namequery.c
./libsmb/namequery_dc.c
./libsmb/nmblib.c
./libsmb/nmblib.c
./libsmb/ntlmssp.c
./libsmb/trustdom_cache.c
./modules/vfs_afsacl.c
./modules/vfs_streams_depot.c
./modules/vfs_streams_xattr.c
./nmbd/nmbd_browserdb.c
./nmbd/nmbd_browsesync.c
./nmbd/nmbd_elections.c
?./nmbd/nmbd_incomingdgrams.c
./nmbd/nmbd_incomingdgrams.c
./nmbd/nmbd_incomingrequests.c
./nmbd/nmbd_namelistdb.c
./nmbd/nmbd_sendannounce.c
./nmbd/nmbd_serverlistdb.c
./nmbd/nmbd_winsserver.c
./param/loadparm.c
./passdb/lookup_sid.c
./passdb/pdb_interface.c
./passdb/pdb_ldap.c
./passdb/pdb_tdb.c
./passdb/secrets.c
./printing/lpq_parse.c
./printing/nt_printing.c
./registry/reg_util.c
./rpc_client/cli_pipe.c
./rpc_server/srv_dfs_nt.c
./rpc_server/srv_dssetup_nt.c
./rpc_server/srv_wkssvc_nt.c
./rpcclient/cmd_spoolss.c
./smbd/filename.c
./smbd/lanman.c
-./smbd/mangle_hash.c
./smbd/mangle_hash2.c
./smbd/negprot.c
./smbd/password.c
./smbd/seal.c
./smbd/service.c
./smbd/service.c
./smbd/sesssetup.c
./smbd/smb2_tcon.c
./torture/masktest.c
./torture/torture.c
./utils/net_ads.c
./utils/net_conf.c
./utils/net_idmap.c
./utils/net_rpc.c
./utils/net_rpc_join.c
./utils/net_usershare.c
./utils/ntlm_auth.c
./utils/ntlm_auth_diagnostics.c
./utils/pdbedit.c
./utils/smbcontrol.c
-./utils/smbpasswd.c
./winbindd/idmap_adex/gc_util.c
./winbindd/idmap_ldap.c
./winbindd/wb_fill_pwent.c
./winbindd/winbindd_ads.c
./winbindd/winbindd_cache.c
./winbindd/winbindd_cm.c
./winbindd/winbindd_pam.c
./winbindd/winbindd_util.c


---
Ones with a "-" in front of them mention strup/lo, but don't use
it for
user or dom mangling.
There are a few.

Not really sure about how good the case mangling that is in there is...
as it tries to handle unicode, w/out knowing that max UTF-8 len for 
current unicode (up through
bit plane 17), takes 4 bytes , not 5 as a the code comments.

Also this made me wonder about making modifications, as I don't know 
what I' might
be trying to base code on...
 

use_as_is:
    /*
     * Conversion not supported. This is actually an error, but there are so
     * many misconfigured iconv systems and smb.conf's out there we 
can't just
     * fail. Do a very bad conversion instead.... JRA.
     */
===So not sure what one would end up with or what types of 
incompatibilities one might
introduce if one were to try to introduce changes to code to code that 
passes through
errors...  how does one define case for erroneous charset
usage?
> How are you at digging into the code? 
----
    Not ALOT of 'endurance', easily distracted....

> and can identify the code that needs review, that would help.  Patches are
> even better.  
Last patch of mine got modified into a personal statement by someone 
about their bad experiences
w/the security 'community'[sic]...  *ahem*...
> The more specific details that you can provide the better able
> one of us will be to work with you on resolving the problems you are
seeing.
>
> Chris -)-----
>   

Well, I have raised the issue a few times...