[Samba] User Authentication and Username Map
Hi to all.. I've setup a Samba domain and now having a hard time setting up Unix to Windows user mapping. As an example on the server, user is 'agi', and at the workstation I want an 'Alec Joseph' as the user name. If I log on from a Linux desktop using the alias connection goes through: # sudo tail -f /usr/local/samba/var/log.smbd | grep 'Alec Joseph' Got user=[Alec Joseph] domain=[RIVERA-HOME] workstation=[THREEPIO] len1=24 len2=24 Mapped user Alec Joseph to agi check_ntlm_password: Checking password for unmapped user [RIVERA-HOME]\[Alec [EMAIL PROTECTED] with the new password interface check_ntlm_password: sam authentication for user [Alec Joseph] succeeded check_ntlm_password: authentication for user [Alec Joseph] - [agi] - [agi] succeeded register_existing_vuid: User name: agiReal name: Alec Joseph Rivera,,, However, on a Windows workstation, I can not log on and getting these on the log: SAM Logon (Interactive). Domain:[RIVERA-HOME]. User:[Alec [EMAIL PROTECTED] Requested Domain:[RIVERA-HOME] check_ntlm_password: Checking password for unmapped user [RIVERA-HOME]\[Alec [EMAIL PROTECTED] with the new password interface check_ntlm_password: mapped user is: [RIVERA-HOME]\[Alec [EMAIL PROTECTED] check_sam_security: Couldn't find user 'Alec Joseph' in passdb. check_ntlm_password: Authentication for user [Alec Joseph] - [Alec Joseph] FAILED with error NT_STATUS_NO_SUCH_USER From what I understand, the Windows workstation is forcing a lookup on the tdbsamdb backend right? On the manuals I've read that the mapping is done after the authentication... How can I get the same behavior as from a Linux workstation? Also I can see on the logs a Error permission denied on the username map file, is this in a way related? Thanks... Ohayou gozaimas, Agi -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] User Authentication and Username Map
On Sat, Nov 22, 2008 at 4:34 AM, Alec Joseph Rivera [EMAIL PROTECTED] wrote: Hi to all.. I've setup a Samba domain and now having a hard time setting up Unix to Windows user mapping. As an example on the server, user is 'agi', and at the workstation I want an 'Alec Joseph' as the user name. If I log on from a Linux desktop using the alias connection goes through: # sudo tail -f /usr/local/samba/var/log.smbd | grep 'Alec Joseph' Got user=[Alec Joseph] domain=[RIVERA-HOME] workstation=[THREEPIO] len1=24 len2=24 Mapped user Alec Joseph to agi check_ntlm_password: Checking password for unmapped user [RIVERA-HOME]\[Alec [EMAIL PROTECTED] with the new password interface check_ntlm_password: sam authentication for user [Alec Joseph] succeeded check_ntlm_password: authentication for user [Alec Joseph] - [agi] - [agi] succeeded register_existing_vuid: User name: agiReal name: Alec Joseph Rivera,,, However, on a Windows workstation, I can not log on and getting these on the log: SAM Logon (Interactive). Domain:[RIVERA-HOME]. User:[Alec [EMAIL PROTECTED] Requested Domain:[RIVERA-HOME] check_ntlm_password: Checking password for unmapped user [RIVERA-HOME]\[Alec [EMAIL PROTECTED] with the new password interface check_ntlm_password: mapped user is: [RIVERA-HOME]\[Alec [EMAIL PROTECTED] check_sam_security: Couldn't find user 'Alec Joseph' in passdb. check_ntlm_password: Authentication for user [Alec Joseph] - [Alec Joseph] FAILED with error NT_STATUS_NO_SUCH_USER From what I understand, the Windows workstation is forcing a lookup on the tdbsamdb backend right? On the manuals I've read that the mapping is done after the authentication... How can I get the same behavior as from a Linux workstation? Also I can see on the logs a Error permission denied on the username map file, is this in a way related? Thanks... Ohayou gozaimas, Agi Greetings, Might be nice to see your smb.conf file, less anything that might be a security issue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] User Authentication and Username Map
On Sunday 23 November 2008 1:26:48 am Richard Nelson wrote: Greetings, Might be nice to see your smb.conf file, less anything that might be a security issue. Here's my smb.conf and the username map file. Do you think there might be an configuration somewhere in windows that maybe is related to this, like use an NTLM auth or something? Thanks Richard. -- smb.conf [global] # Domain/Workgroup and Host identification workgroup = rivera-home netbios name = obiwan server string = Rivera Home LAN Primary Server # Browsing options os level = 40 domain master = yes local master = yes preferred master = yes # WINS options wins support = yes name resolve order = wins lmhosts hosts bcast # Security options security = user domain logons = yes # Common services logon script = logon-%U.bat logon path = \\obiwan\profiles\%U auto services = %U # Optimizations socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=65536 SO_RCVBUF=65536 max xmit = 2048 log level = 3 username map = /usr/local/samba/lib/usrmap [netlogon] comment = Rivera Home LAN Logon Service path = /var/export/samba/netlogon browseable = no [profiles] comment = Rivera Home LAN User Profiles path = /var/export/samba/profiles read only = no browseable = no create mode = 0600 directory mode = 0700 [homes] comment = %U's Home Folder read only = no browseable = no [public] comment = Rivera Home LAN Public Zone path = /var/export/samba/public ;read list = write list = agi, joy, wing [images] comment = Pictures, Clip Arts and Various Images path = /var/export/samba/images ;read list = write list = agi, joy, wing [tv] comment = TV Shows path = /var/export/samba/tv read list = agi, joy, wing write list = agi [music] comment = Music Library path = /var/export/samba/music read list = agi, joy, wing write list = agi -- usrmap agi = Alec Alec Joseph wing = Jo Annelyn joy = Jo Angela -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-4512-g5572b01
The branch, v3-3-test has been updated via 5572b01ae515405ca0da3d2913fe30294caa3516 (commit) from 11c4962cf6b6e6f66f5ce5788b331d43bd743248 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test - Log - commit 5572b01ae515405ca0da3d2913fe30294caa3516 Author: Michael Adam [EMAIL PROTECTED] Date: Sat Nov 22 01:51:41 2008 +0100 nfs4_acls: make prototype header match definition for smb_set_nt_acl_nfs4() Add the const from nfs4_acls.c to nfs4_acls.h This fixes my build of the zfsacl module on solaris. Michael --- Summary of changes: source/modules/nfs4_acls.h |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source/modules/nfs4_acls.h b/source/modules/nfs4_acls.h index 0f783aa..a227c6e 100644 --- a/source/modules/nfs4_acls.h +++ b/source/modules/nfs4_acls.h @@ -144,7 +144,7 @@ typedef bool (*set_nfs4acl_native_fn_t)(files_struct *, SMB4ACL_T *); NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp, uint32 security_info_sent, - SEC_DESC *psd, + const SEC_DESC *psd, set_nfs4acl_native_fn_t set_nfs4_native); #endif /* __NFS4_ACLS_H__ */ -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated - a6aa72001e3fdd36112a839cf3e40dd2d636f254
The branch, master has been updated via a6aa72001e3fdd36112a839cf3e40dd2d636f254 (commit) from d205766e60be96449930f270b0a77002dffab278 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a6aa72001e3fdd36112a839cf3e40dd2d636f254 Author: Volker Lendecke [EMAIL PROTECTED] Date: Sat Nov 22 18:31:52 2008 +0100 Add net machinepw Provide a C-based alternative to the python script mymachinepw --- Summary of changes: source4/utils/net/config.mk |1 + source4/utils/net/net.c |2 + source4/utils/net/net_machinepw.c | 91 + 3 files changed, 94 insertions(+), 0 deletions(-) create mode 100644 source4/utils/net/net_machinepw.c Changeset truncated at 500 lines: diff --git a/source4/utils/net/config.mk b/source4/utils/net/config.mk index 93b51e1..b2f0fcf 100644 --- a/source4/utils/net/config.mk +++ b/source4/utils/net/config.mk @@ -16,6 +16,7 @@ PRIVATE_DEPENDENCIES = \ net_OBJ_FILES = $(addprefix $(utilssrcdir)/net/, \ net.o \ + net_machinepw.o \ net_password.o \ net_time.o \ net_join.o \ diff --git a/source4/utils/net/net.c b/source4/utils/net/net.c index 81584e4..4d1b202 100644 --- a/source4/utils/net/net.c +++ b/source4/utils/net/net.c @@ -107,6 +107,8 @@ static const struct net_functable net_functable[] = { {vampire, join and syncronise an AD domain onto the local server\n, net_vampire, net_vampire_usage}, {samsync, synchronise into the local ldb the sam of an NT4 domain\n, net_samsync_ldb, net_samsync_ldb_usage}, {user, manage user accounts\n, net_user, net_user_usage}, + {machinepw, Get a machine password out of our SAM, net_machinepw, +net_machinepw_usage}, {NULL, NULL, NULL, NULL} }; diff --git a/source4/utils/net/net_machinepw.c b/source4/utils/net/net_machinepw.c new file mode 100644 index 000..8c2fac9 --- /dev/null +++ b/source4/utils/net/net_machinepw.c @@ -0,0 +1,91 @@ +/* + Samba Unix/Linux SMB client library + Distributed SMB/CIFS Server Management Utility + + Copyright (C) 2008 Volker Lendecke + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. +*/ + +#include includes.h +#include utils/net/net.h +#include libnet/libnet.h +#include libcli/security/security.h +#include param/secrets.h +#include param/param.h +#include lib/events/events.h + +int net_machinepw_usage(struct net_context *ctx, int argc, const char **argv) +{ + d_printf(net machinepw accountname\n); + return -1; +} + +int net_machinepw(struct net_context *ctx, int argc, const char **argv) +{ + struct ldb_context *secrets; + TALLOC_CTX *mem_ctx; + struct event_context *ev; + struct ldb_message **msgs; + int res; + int num_records; + const char *attrs[] = { secret, NULL }; + const char *secret; + + if (argc != 1) { + net_machinepw_usage(ctx, argc, argv); + return -1; + } + + mem_ctx = talloc_new(ctx); + if (mem_ctx == NULL) { + d_fprintf(stderr, talloc_new failed\n); + return -1; + } + + ev = event_context_init(mem_ctx); + if (ev == NULL) { + d_fprintf(stderr, event_context_init failed\n); + goto fail; + } + + secrets = secrets_db_connect(mem_ctx, ev, ctx-lp_ctx); + if (secrets == NULL) { + d_fprintf(stderr, secrets_db_connect failed\n); + goto fail; + } + + num_records = gendb_search(secrets, mem_ctx, NULL, msgs, attrs, + ((objectclass=primaryDomain) + (samaccountname=%s)), argv[0]); + if (num_records != 1) { + d_fprintf(stderr, gendb_search returned %d records, + expected 1\n, num_records); + goto fail; + } + + secret = ldb_msg_find_attr_as_string(msgs[0], secret, NULL); + if (secret == NULL) { + d_fprintf(stderr, machine account contains no secret\n); + goto fail; + } + + printf(%s\n, secret); + talloc_free(mem_ctx); +
[SCM] Samba Shared Repository - branch master updated - 84e37eb5f56e2979cae89b96bc25ae746d7efab9
The branch, master has been updated via 84e37eb5f56e2979cae89b96bc25ae746d7efab9 (commit) from a6aa72001e3fdd36112a839cf3e40dd2d636f254 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 84e37eb5f56e2979cae89b96bc25ae746d7efab9 Author: Michael Adam [EMAIL PROTECTED] Date: Sat Nov 22 23:25:14 2008 +0100 s3 build: don't specify ZLIB_LIBS (i.e. -lz) in object collections. This causes make to fail on at least HP-UX and MacOS X with message no rule to make target -lz or similar, when these object collections are specified in dependencies. Michael --- Summary of changes: source3/Makefile.in |6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/Makefile.in b/source3/Makefile.in index 4a0590c..8498447 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -931,7 +931,7 @@ SMBTORTURE_OBJ = $(SMBTORTURE_OBJ1) $(PARAM_OBJ) \ MASKTEST_OBJ = torture/masktest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ $(LIB_NONSMBD_OBJ) \ -$(LIBNDR_GEN_OBJ0) $(ZLIB_LIBS) +$(LIBNDR_GEN_OBJ0) MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ $(LIB_NONSMBD_OBJ) \ @@ -939,7 +939,7 @@ MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ LOCKTEST_OBJ = torture/locktest.o $(PARAM_OBJ) $(LOCKING_OBJ) $(KRBCLIENT_OBJ) \ $(LIBSMB_OBJ) $(LIB_NONSMBD_OBJ) \ - $(LIBNDR_GEN_OBJ0) $(ZLIB_LIBS) + $(LIBNDR_GEN_OBJ0) NSSTEST_OBJ = torture/nsstest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \ $(LIB_NONSMBD_OBJ) \ @@ -958,7 +958,7 @@ LOG2PCAP_OBJ = utils/log2pcaphex.o LOCKTEST2_OBJ = torture/locktest2.o $(PARAM_OBJ) $(LOCKING_OBJ) $(LIBSMB_OBJ) \ $(KRBCLIENT_OBJ) $(LIB_NONSMBD_OBJ) \ - $(LIBNDR_GEN_OBJ0) $(ZLIB_LIBS) + $(LIBNDR_GEN_OBJ0) SMBCACLS_OBJ = utils/smbcacls.o $(PARAM_OBJ) $(LIBSMB_OBJ) \ $(KRBCLIENT_OBJ) $(LIB_NONSMBD_OBJ) $(RPC_PARSE_OBJ) \ -- Samba Shared Repository
Build status as of Sun Nov 23 00:00:01 2008
URL: http://build.samba.org/ --- /home/build/master/cache/broken_results.txt.old 2008-11-22 00:00:17.0 + +++ /home/build/master/cache/broken_results.txt 2008-11-23 00:01:02.0 + @@ -1,4 +1,4 @@ -Build status as of Sat Nov 22 00:00:01 2008 +Build status as of Sun Nov 23 00:00:01 2008 Build counts: Tree Total Broken Panic @@ -14,9 +14,9 @@ rsync32 13 0 samba-docs 0 0 0 samba-gtk5 5 0 -samba_3_X_devel 28 25 1 -samba_3_X_test 28 17 0 -samba_4_0_test 31 28 1 +samba_3_X_devel 28 19 1 +samba_3_X_test 28 15 0 +samba_4_0_test 30 29 1 smb-build30 7 0 talloc 32 32 0 tdb 32 12 0
[SCM] Samba Shared Repository - branch master updated - 71c782c72af496c86491d16ef384a5b320f9616f
The branch, master has been updated via 71c782c72af496c86491d16ef384a5b320f9616f (commit) from 84e37eb5f56e2979cae89b96bc25ae746d7efab9 (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 71c782c72af496c86491d16ef384a5b320f9616f Author: Michael Adam [EMAIL PROTECTED] Date: Sun Nov 23 01:11:29 2008 +0100 s3-build: do not auto-genereate ndr tables but use checked-in tables. This removes the build-dependency on perl that was introduced in commit e0905c30908b4d621030689d33de28a13c04a690. The tables can now be re-built with make ndr-tables. This is also called by make samba3-idl to ensure that the tables are updated after idl changes. This hopefully fixes the build on some build farm hosts (e.g. gwen). Michael --- Summary of changes: source3/Makefile.in |9 ++--- 1 files changed, 6 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/Makefile.in b/source3/Makefile.in index 8498447..60ea4e2 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -1235,10 +1235,13 @@ samba3-idl:: ../librpc/idl/ntsvcs.idl librpc/idl/libnetapi.idl ../librpc/idl/drsuapi.idl \ ../librpc/idl/drsblobs.idl ../librpc/idl/nbt.idl \ ../librpc/idl/named_pipe_auth.idl librpc/idl/dom_sid.idl + @$(MAKE) ndr-tables -librpc/gen_ndr/tables.c:: librpc/gen_ndr/*.h - @echo Generating $@ - @$(PERL) ../librpc/tables.pl $^ $@ +NDR_TABLES = librpc/gen_ndr/tables.c + +ndr-tables:: librpc/gen_ndr/*.h + @echo Generating $(NDR_TABLES) + @$(PERL) ../librpc/tables.pl $^ $(NDR_TABLES) # -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v3-0-test updated - release-3-0-32-69-ga2329ec
The branch, v3-0-test has been updated via a2329ec0eea66108f44dae3853e578dbbf835f96 (commit) via 06f19e52489b3253ea4292795e4c73fa94cfd392 (commit) from cc97e2a0d51f52a79982ac265f073d3829c1357a (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test - Log - commit a2329ec0eea66108f44dae3853e578dbbf835f96 Author: Michael Adam [EMAIL PROTECTED] Date: Sat Nov 22 00:43:43 2008 +0100 winbindd: make all winbind rpc-methods static. Now that the methods are no longer needed in winbindd_ads, we can make them static again. Michael commit 06f19e52489b3253ea4292795e4c73fa94cfd392 Author: Michael Adam [EMAIL PROTECTED] Date: Sat Nov 22 00:42:54 2008 +0100 winbindd_ads: use the reconnect methods instead of the rpc methods directly Some of the ads methods just point to the rpc methods. This makes winbindd_ads use the reconnect methods instead of calling the rpc methods directly in order to prevent negative cache entries for e.g. name_to_sid, when the dc has closed the connection without sending a reset. Michael --- Summary of changes: source/nsswitch/winbindd_ads.c | 80 +--- source/nsswitch/winbindd_rpc.c | 61 +++--- 2 files changed, 105 insertions(+), 36 deletions(-) Changeset truncated at 500 lines: diff --git a/source/nsswitch/winbindd_ads.c b/source/nsswitch/winbindd_ads.c index 01f9413..8cb5f39 100644 --- a/source/nsswitch/winbindd_ads.c +++ b/source/nsswitch/winbindd_ads.c @@ -390,6 +390,46 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain, return NT_STATUS_OK; } +/* convert a single name to a sid in a domain - use rpc methods */ +static NTSTATUS name_to_sid(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const char *domain_name, + const char *name, + DOM_SID *sid, + enum lsa_SidType *type) +{ + return reconnect_methods.name_to_sid(domain, mem_ctx, +domain_name, name, +sid, type); +} + +/* convert a domain SID to a user or group name - use rpc methods */ +static NTSTATUS sid_to_name(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const DOM_SID *sid, + char **domain_name, + char **name, + enum lsa_SidType *type) +{ + return reconnect_methods.sid_to_name(domain, mem_ctx, sid, +domain_name, name, type); +} + +/* convert a list of rids to names - use rpc methods */ +static NTSTATUS rids_to_names(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + const DOM_SID *sid, + uint32 *rids, + size_t num_rids, + char **domain_name, + char ***names, + enum lsa_SidType **types) +{ + return reconnect_methods.rids_to_names(domain, mem_ctx, sid, + rids, num_rids, + domain_name, names, types); +} + /* convert a DN to a name, SID and name type this might become a major speed bottleneck if groups have lots of users, in which case we could cache the results @@ -831,6 +871,18 @@ done: return status; } +/* Lookup aliases a user is member of - use rpc methods */ +static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + uint32 num_sids, const DOM_SID *sids, + uint32 *num_aliases, uint32 **alias_rids) +{ + return reconnect_methods.lookup_useraliases(domain, mem_ctx, + num_sids, sids, + num_aliases, + alias_rids); +} + /* find the members of a group, given a group rid and domain */ @@ -1035,6 +1087,22 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) return ads_ntstatus(rc); } +/* find the lockout policy of a domain - use rpc methods */ +static NTSTATUS lockout_policy(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + SAM_UNK_INFO_12 *policy) +{ + return reconnect_methods.lockout_policy(domain, mem_ctx, policy); +} + +/* find the password policy of a domain - use rpc methods */
[SCM] Samba Shared Repository - branch master updated - 09bc3a2f9c3847aafdb2e6cc2651baba62f2489e
The branch, master has been updated via 09bc3a2f9c3847aafdb2e6cc2651baba62f2489e (commit) from 71c782c72af496c86491d16ef384a5b320f9616f (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 09bc3a2f9c3847aafdb2e6cc2651baba62f2489e Author: Michael Adam [EMAIL PROTECTED] Date: Sun Nov 23 01:59:30 2008 +0100 s3 build: when detecting to use internal zlib, put -I../lib/zlib first in CFLAGS This should fix a build error on our Tru64 build farm box where a zlib.h is found in an include path handed in via external CFLAGS, but that zlib.h belongs to an old zlib. So in ndr_compression.c, #include zlib.h includes the wrong header for the internal zlib. Michael --- Summary of changes: source3/configure.in |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/configure.in b/source3/configure.in index 287189f..9214d03 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -6256,7 +6256,7 @@ AC_ZLIB([ZLIB_OBJS=], [ do ZLIB_OBJS=$ZLIB_OBJS ../lib/zlib/$o done - CFLAGS=$CFLAGS -I../lib/zlib + CFLAGS=-I../lib/zlib $CFLAGS ]) dnl Remove -L/usr/lib/? from LDFLAGS and LIBS -- Samba Shared Repository