I posted previously about samba prepending a "\" to the user name before lookup. Logins fail when "\user" is looked up instead of "user." I think there's a small bug in the username validation that reply.c makes. The problem is most evident when NIS is in use.
reply.c 922-930 /* Work out who's who */ slprintf(dom_user, sizeof(dom_user) - 1,"%s%s%s", dos_to_unix_static(domain), lp_winbind_separator(), user); if (sys_getpwnam(dom_user) != NULL) { pstrcpy(user, dom_user); DEBUG(3,("Using unix username %s\n", dom_user)); } This call supposedly validates the <domain>\<user> string. On Solaris, with NIS a win98 box tries to connect to a samba PDC. There's no domain name passed by the win98 client, but the setup for the string is <domain><winbindseparator><user>. There's no domain - the string is now <><\><user> 1) If there's no domain, why would a winbind separator do something useful? 2) The wacky thing here is that \user actually returns successful with NIS. jeff@host% getent passwd jeff jeff:x:6789:6789::/export/home/jeff:/bin/ksh jeff@host% getent passwd \jeff jeff:x:6789:6789::/export/home/jeff:/bin/ksh 3) The valadation doesn't really validate in this case since the value used is not what the sytem returned: \jeff != jeff, but the check in reply.c is only for != NULL. When this gets looked up the the samba password db, failure is certain. There's no \jeff in the samba password database. sesssetupX:name=[JEFF] [2002/08/11 12:21:44, 3] smbd/reply.c:reply_sesssetup_and_X(929) Using unix username \JEFF [2002/08/11 12:21:44, 2] smbd/reply.c:reply_sesssetup_and_X(982) Defaulting to Lanman password for \jeff [2002/08/11 12:21:44, 1] smbd/password.c:pass_check_smb(545) Couldn't find user '\jeff' in passdb. [2002/08/11 12:21:44, 1] smbd/reply.c:reply_sesssetup_and_X(998) Rejecting user '\jeff': authentication failed The end result of this situation is that users from win98 can not log in. Changing if (sys_getpwnam(dom_user) != NULL) to if (sys_getpwnam(dom_user) != NULL && strlen(domain) > 0 ) allows win98 to authenticate successfully, but doesn't really address the validation problem. 4) When the client is win2k which passes a domain in, this code is called to lookup getpwnam(<domain><sep><user>). Without some special module, when would a unix system ever return a positive response to this kind of lookup? Compiling --without-winbind I see a failed lookup in the ldap logs for filter="(&(objectclass=posixAccount)(uid=MP\\JEFF))" every time someone logs in. This section adds overhead with extra lookups that are sure to fail. Should it be relocated to a different section so that it's only called when winbind is actually in use? Thanks, Jeff