Andrew Bartlett
2020-Feb-22 02:18 UTC
[Samba] Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
On Fri, 2020-02-21 at 20:48 -0500, TomK wrote:> > > > > > "Sadly this really appears to be is a client issue. You see there the > > string Samba gets, so by the time Samba tries the process it the @ is > > already interpreted and the string split. > > > > Sorry! > > > > Andrew Bartlett" > > > > Yeah, wondering if there is a way to tell Samba NOT to split that up and > > treat joe at mds.xyz as a single user. This works fine in Win 10 so I > > agree, it's probably a client SMB configuration issue but would like to > > know exactly what that config issue is. > > > > + or what paramaters I could change to ensure the string isn't split up.You can't change it on the Samba side, you could try logging in as SERVER\joe at mds.xyz or see if you can re-map it server-side with the various username map options. You need to realise that the protocol has a domain field and a username one. Well behaved clients know that user at realm style usernames need to all be in the username field, not split up client-side (and left to the DC to interpret), but even Samba got this wrong for quite some time. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
TomK
2020-Feb-23 16:05 UTC
[Samba] Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
On 2/21/2020 9:18 PM, Andrew Bartlett via samba wrote:> On Fri, 2020-02-21 at 20:48 -0500, TomK wrote: >> >> >>> >>> "Sadly this really appears to be is a client issue. You see there the >>> string Samba gets, so by the time Samba tries the process it the @ is >>> already interpreted and the string split. >>> >>> Sorry! >>> >>> Andrew Bartlett" >>> >>> Yeah, wondering if there is a way to tell Samba NOT to split that up and >>> treat joe at mds.xyz as a single user. This works fine in Win 10 so I >>> agree, it's probably a client SMB configuration issue but would like to >>> know exactly what that config issue is. >>> >> >> + or what paramaters I could change to ensure the string isn't split up. > > You can't change it on the Samba side, you could try logging in as > SERVER\joe at mds.xyz or see if you can re-map it server-side with the > various username map options. > > You need to realise that the protocol has a domain field and a username > one. Well behaved clients know that user at realm style usernames need to> all be in the username field, not split up client-side (and left to the > DC to interpret), but even Samba got this wrong for quite some time. > > I hope this helps, > > Andrew Bartlett >I'm seeing what you mean. I'll have to read into the server-side re-map options. No idea where to find them (yet). Looking at the attached logs however, appears the server is already getting the split user. Or am I reading that incorrectly? Attached a log. Right side is the successful WIN 10 login. And left side is the unsuccessful Macbook login session. -- Thx, TK. -------------- next part -------------- doing parameter security = user | doing parameter security = user doing parameter valid users = %S, %D%w%S | doing parameter valid users = %S, %D%w%S doing parameter valid users = joe at mds.xyz | doing parameter valid users = joe at mds.xyz doing parameter valid users = bob at mds.xyz | doing parameter valid users = bob at mds.xyz doing parameter valid users = root | doing parameter valid users = root Got user=[joe] domain=[mds.xyz] workstation=[MACBOOKPRO-0138] len1=24 len2=222 | Got user=[joe] domain=[joe-PC] workstation=[JOE-PC] len1=24 len2=284 doing parameter security = user | doing parameter security = user doing parameter valid users = %S, %D%w%S | doing parameter valid users = %S, %D%w%S doing parameter valid users = joe at mds.xyz | doing parameter valid users = joe at mds.xyz doing parameter valid users = bob at mds.xyz | doing parameter valid users = bob at mds.xyz doing parameter valid users = root | doing parameter valid users = root check_ntlm_password: Checking password for unmapped user [mds.xyz]\[joe]@[MACBOOKPRO-0138| check_ntlm_password: Checking password for unmapped user [joe-PC]\[joe]@[JOE-PC] with the check_ntlm_password: mapped user is: [mds.xyz]\[joe]@[MACBOOKPRO-0138] | check_ntlm_password: mapped user is: [joe-PC]\[joe]@[JOE-PC] check_sam_security: Couldn't find user 'joe' in passdb. | check_sam_security: Couldn't find user 'joe' in passdb. check_ntlm_password: Authentication for user [joe] -> [joe] FAILED with error NT_STATUS_N| check_ntlm_password: Authentication for user [joe] -> [joe] FAILED with error NT_STATUS_N Auth: [SMB2,(null)] user [mds.xyz]\[joe] at [Sat, 22 Feb 2020 21:59:16.669942 EST] with [N| Auth: [SMB2,(null)] user [joe-PC]\[joe] at [Sat, 22 Feb 2020 21:54:48.742407 EST] with [NT SPNEGO login failed: NT_STATUS_NO_SUCH_USER | SPNEGO login failed: NT_STATUS_NO_SUCH_USER Got user=[joe] domain=[NFS03] workstation=[MACBOOKPRO-0138] len1=24 len2=222 | -------------------------------------------------------------------------------------------- doing parameter security = user | doing parameter security = user doing parameter valid users = %S, %D%w%S | doing parameter valid users = %S, %D%w%S doing parameter valid users = joe at mds.xyz | doing parameter valid users = joe at mds.xyz doing parameter valid users = bob at mds.xyz | doing parameter valid users = bob at mds.xyz doing parameter valid users = root | doing parameter valid users = root check_ntlm_password: Checking password for unmapped user [NFS03]\[joe]@[MACBOOKPRO-0138] | Got user=[joe at mds.xyz] domain=[] workstation=[JOE-PC] len1=24 len2=284 check_ntlm_password: mapped user is: [NFS03]\[joe]@[MACBOOKPRO-0138] | -------------------------------------------------------------------------------------------- check_sam_security: Couldn't find user 'joe' in passdb. | -------------------------------------------------------------------------------------------- check_ntlm_password: Authentication for user [joe] -> [joe] FAILED with error NT_STATUS_N| -------------------------------------------------------------------------------------------- Auth: [SMB2,(null)] user [NFS03]\[joe] at [Sat, 22 Feb 2020 21:59:16.684420 EST] with [NTL| -------------------------------------------------------------------------------------------- SPNEGO login failed: NT_STATUS_NO_SUCH_USER | -------------------------------------------------------------------------------------------- Got user=[joe] domain=[mds.xyz@\192.168.0.80] workstation=[MACBOOKPRO-0138] len1=24 len2=2| -------------------------------------------------------------------------------------------- doing parameter security = user | doing parameter security = user doing parameter valid users = %S, %D%w%S | doing parameter valid users = %S, %D%w%S doing parameter valid users = joe at mds.xyz | doing parameter valid users = joe at mds.xyz doing parameter valid users = bob at mds.xyz | doing parameter valid users = bob at mds.xyz doing parameter valid users = root | doing parameter valid users = root check_ntlm_password: Checking password for unmapped user [mds.xyz@\192.168.0.80]\[joe]@[M| check_ntlm_password: Checking password for unmapped user []\[joe at mds.xyz]@[JOE-PC] with t check_ntlm_password: mapped user is: [mds.xyz@\192.168.0.80]\[joe]@[MACBOOKPRO-0138] | check_ntlm_password: mapped user is: []\[joe at mds.xyz]@[JOE-PC] check_sam_security: Couldn't find user 'joe' in passdb. | Forcing Primary Group to 'Domain Users' for joe at mds.xyz check_ntlm_password: Authentication for user [joe] -> [joe] FAILED with error NT_STATUS_N| sam_account_ok: Checking SMB password for user joe at mds.xyz Auth: [SMB2,(null)] user [mds.xyz@\\192.168.0.80]\[joe] at [Sat, 22 Feb 2020 21:59:16.7002| auth_check_ntlm_password: sam_ignoredomain authentication for user [joe at mds.xyz] succeeded SPNEGO login failed: NT_STATUS_NO_SUCH_USER | Auth: [SMB2,(null)] user []\[joe at mds.xyz] at [Sat, 22 Feb 2020 21:54:57.695819 EST] with [ --------------------------------------------------------------------------------------------| check_ntlm_password: authentication for user [joe at mds.xyz] -> [joe at mds.xyz] -> [joe at mds.x --------------------------------------------------------------------------------------------| Successful AuthZ: [SMB2,NTLMSSP] user [NFS03]\[joe at mds.xyz] [S-1-5-21-958209520-3148420287 --------------------------------------------------------------------------------------------| Adding homes service for user 'joe at mds.xyz' using home directory: '/home/mds.xyz/joe' --------------------------------------------------------------------------------------------| adding home's share [joe at mds.xyz] for user 'joe at mds.xyz' at '/home/mds.xyz/joe' --------------------------------------------------------------------------------------------| joe-pc (ipv4:192.168.0.76:50647) connect to service IPC$ initially as user joe at mds.xyz (ui --------------------------------------------------------------------------------------------| Forcing Primary Group to 'Domain Users' for joe at mds.xyz --------------------------------------------------------------------------------------------| Forcing Primary Group to 'Domain Users' for joe at mds.xyz
Rowland penny
2020-Feb-23 16:44 UTC
[Samba] Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
On 23/02/2020 16:05, TomK wrote:> On 2/21/2020 9:18 PM, Andrew Bartlett via samba wrote: >> On Fri, 2020-02-21 at 20:48 -0500, TomK wrote: >>> >>> >>>> >>>> "Sadly this really appears to be is a client issue.? You see there the >>>> string Samba gets, so by the time Samba tries the process it the @ is >>>> already interpreted and the string split. >>>> >>>> Sorry! >>>> >>>> Andrew Bartlett" >>>> >>>> Yeah, wondering if there is a way to tell Samba NOT to split that >>>> up and >>>> treat joe at mds.xyz as a single user.? This works fine in Win 10 so I >>>> agree, it's probably a client SMB configuration issue but would >>>> like to >>>> know exactly what that config issue is. >>>> >>> >>> ?? + or what paramaters I could change to ensure the string isn't >>> split up. >> >> You can't change it on the Samba side, you could try logging in as >> SERVER\joe at mds.xyz or see if you can re-map it server-side with the >> various username map options. >> >> You need to realise that the protocol has a domain field and a username >> one.? Well behaved clients know that user at realm style usernames need to > >> all be in the username field, not split up client-side (and left to the >> DC to interpret), but even Samba got this wrong for quite some time. >> >> I hope this helps, >> >> Andrew Bartlett >> > > > I'm seeing what you mean.? I'll have to read into the server-side > re-map options.? No idea where to find them (yet).Try searching for 'username map'> > Looking at the attached logs however, appears the server is already > getting the split user.? Or am I reading that incorrectly?It looks Windows is sending 'joe at mds.xyz', but your Macbook isn't, it could be sending just 'joe' or 'NFS03\joe' or something else entirely. Rowland
Reasonably Related Threads
- Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
- Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
- Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
- Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10
- Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10