Re: [Samba] Username.map works in 2.2.8a, doesn't work in 3.0.14a - SOLVED

2005-08-29 Thread Eric Boehm 
On Wed, Aug 24, 2005 at 03:26:23PM -0400, Boehm, Eric [GWRTP:CM21:EXCH] wrote:
 Eric == Boehm, Eric [GWRTP:CM21:EXCH] Boehm writes:

Eric I'm a bit puzzled. I am able to map an account without any
Eric problem on Samba 2.2.8a (security=domain). However, access
Eric fails with Samba 3.0.14a when everything else is the same
Eric (same configuration files).

Eric Any advice as to the cause of the problems (and its
Eric solution) would be appreciated.

I'll follow up and answer my own question. The problem is that I
didn't understand the Release notes for 3.0.8

  ==
  Change in Username Map
  ==

  Previous Samba releases would only support reading the fully qualified
  username (e.g. DOMAIN\user) from the username map when performing a
  kerberos login from a client.  However, when looking up a map
  entry for a user authenticated by NTLM[SSP], only the login name would be
  used for matches.  This resulted in inconsistent behavior sometimes
  even on the same server.

  Samba 3.0.8 obeys the following rules when applying the username
  map functionality:

* When performing local authentication, the username map is
  applied to the login name before attempting to authenticate
  the connection.
* When relying upon a external domain controller for validating
  authentication requests, smbd will apply the username map
  to the fully qualified username (i.e. DOMAIN\user) only
  after the user has been successfully authenticated.

Previously, I had used

unix_user = windows_user

After reading the notes above, I tried

DOMAIN\unix_user = windows_user

I should have used (and this did work)

unix_user = DOMAIN\windows_user

-- 
Eric M. Boehm  /\  ASCII Ribbon Campaign
[EMAIL PROTECTED]   \ /  No HTML or RTF in mail
X   No proprietary word-processing
Respect Open Standards / \  files in mail
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Username.map works in 2.2.8a, doesn't work in 3.0.14a

2005-08-24 Thread Eric Boehm 
I'm a bit puzzled. I am able to map an account without any problem on
Samba 2.2.8a (security=domain). However, access fails with Samba
3.0.14a when everything else is the same (same configuration files).

Any advice as to the cause of the problems (and its solution) would be
appreciated.


From 2.2.8a logs

[2005/08/24 14:59:51, 3, pid=7767] smbd/reply.c:(880)
  Domain=[americase]  NativeOS=[Windows 2002 Service Pack 2 2600] 
NativeLanMan=[Windows 2002 5.1]
[2005/08/24 14:59:51, 3, pid=7767] smbd/reply.c:(890)
  sesssetupX:name=[pnmadm09]
[2005/08/24 14:59:51, 3, pid=7767] lib/username.c:(168)
  Mapped user pnmadm09 to pnmadm
[2005/08/24 14:59:51, 3, pid=7767] libsmb/namequery.c:(769)
  resolve_lmhosts: Attempting lmhosts lookup for name ZRTPD0PP0x20
[2005/08/24 14:59:51, 3, pid=7767] lib/util_sock.c:(845)
  Connecting to 47.140.205.113 at port 445

[2005/08/24 14:59:52, 3, pid=7767] smbd/password.c:(340)
  User name: pnmadm Real name: PNM Admin,PSD17792

[2005/08/24 14:59:52, 3, pid=7767] smbd/password.c:(736)
  authorise_login: ACCEPTED: validated uid ok as non-guest (user=pnmadm)

[2005/08/24 14:59:52, 1, pid=7767] smbd/service.c:(636)
  boehm-1 (47.143.20.49) connect to service export as user pnmadm (uid=34344, 
gid=4794) (pid 7767)


From 3.0.14a logs

[2005/08/24 15:09:11, 3, pid=10515] libsmb/ntlmssp.c:(606)
  Got user=[pnmadm09] domain=[americase] workstation=[BOEHM-1] len1=24 len2=24
[2005/08/24 15:09:11, 3, pid=10515] lib/username.c:(173)
  Mapped user pnmadm09 to pnmadm

[2005/08/24 15:09:11, 3, pid=10515] auth/auth.c:(219)
  check_ntlm_password:  Checking password for unmapped user [EMAIL PROTECTED] 
with the new password interface
[2005/08/24 15:09:11, 3, pid=10515] auth/auth.c:(222)
  check_ntlm_password:  mapped user is: [EMAIL PROTECTED]

[2005/08/24 15:09:11, 0, pid=10515] auth/auth_domain.c:(118)
  connect_to_domain_password_server: unable to setup the NETLOGON credentials 
to machine ZRTPD0PP. Error was : NT_STATUS_ACCESS_DENIED.
[2005/08/24 15:09:11, 3, pid=10515] libsmb/cliconnect.c:(1406)
  Connecting to host=ZRTPD0PP
[2005/08/24 15:09:11, 3, pid=10515] lib/util_sock.c:(752)
  Connecting to 47.140.205.113 at port 445
[2005/08/24 15:09:11, 3, pid=10515] rpc_client/cli_netlogon.c:(290)
  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2005/08/24 15:09:11, 0, pid=10515] auth/auth_domain.c:(118)
  connect_to_domain_password_server: unable to setup the NETLOGON credentials 
to machine ZRTPD0PP. Error was : NT_STATUS_ACCESS_DENIED.
[2005/08/24 15:09:11, 3, pid=10515] libsmb/cliconnect.c:(1406)
  Connecting to host=ZRTPD0PP
[2005/08/24 15:09:11, 3, pid=10515] lib/util_sock.c:(752)
  Connecting to 47.140.205.113 at port 445
[2005/08/24 15:09:11, 3, pid=10515] rpc_client/cli_netlogon.c:(290)
  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2005/08/24 15:09:11, 0, pid=10515] auth/auth_domain.c:(118)
  connect_to_domain_password_server: unable to setup the NETLOGON credentials 
to machine ZRTPD0PP. Error was : NT_STATUS_ACCESS_DENIED.
[2005/08/24 15:09:11, 0, pid=10515] auth/auth_domain.c:(170)
  domain_client_validate: Domain password server not available.
[2005/08/24 15:09:11, 2, pid=10515] auth/auth.c:(312)
  check_ntlm_password:  Authentication for user [pnmadm09] - [pnmadm] FAILED wi
th error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2005/08/24 15:09:21, 3, pid=105

-- 
Eric M. Boehm  /\  ASCII Ribbon Campaign
[EMAIL PROTECTED]   \ /  No HTML or RTF in mail
X   No proprietary word-processing
Respect Open Standards / \  files in mail
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba