Bug 156308 - Samba smbuser fonctionality broke.
Summary: Samba smbuser fonctionality broke.
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: samba
Version: 3.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Jay Fenlason
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2005-04-28 20:10 UTC by Manuel Mitnyan
Modified: 2014-08-31 23:27 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-04-29 19:59:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Manuel Mitnyan 2005-04-28 20:10:03 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2

Description of problem:
Description of problem:
The samba will not use the smbuser file to make mapping between a windows user and a unix user when using NT4 domain and latest samba version (3.0.9.x).

configs: smb.conf
   workgroup = INTELLIA
   security = DOMAIN
   password server = erebus
  username map = /etc/samba/smbusers

root = administrator admin manumitn

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Stop smb service: service smb stop
2. Set the configs of samba:
   workgroup = INTELLIA
   security = DOMAIN
   password server = erebus
  username map = /etc/samba/smbusers

root = administrator admin manumitn

2. Delete the dtb files:
rm -f /etc/samba/secrets.tdb
rm -f /var/cache/samba/*.dtb
rm -f /var/cache/samba/*.dat

3. On the NT4 PDC, "server manager" delete the old entry for the machine.
4. Start smb service: service smb start

5- Join the domain: net rpc join -I 192.168.0.x -S erebus -w intellia -W intellia -U administrator%mypassword -s /etc/samba/smb.conf -l
Joined domain INTELLIA.

6-Verify on the PDC if the machine is on it. 

7. Access the samba computer using windows and the user on the samba server is manumitn and not root as expected.

Actual Results:  The user (manumitn) connect on the machine with PDC credential without problem but I still have only the rights of manumitn not (root)

Expected Results:  Have "root" rights like expected on the version samba-3.0.7-1.3E.1 and older.

Temporary solution for us, roll back to samba-3.0.7-1.3E.1

Additional info:

Here is the trace get while looking to find if samba read the smbusers file:
[2005/04/26 14:24:38, 3] lib/username.c:map_username(173)
  Mapped user manumitn to root

Comment 1 Jay Fenlason 2005-04-29 19:12:17 UTC
Shouldn't the smbusers file say 
root = INTELLIA\Administrator INTELLIA\admin INTELLIA\manumitn? 
According to the release notes: 
Common bugs fixed in 3.0.8 include: 
  o Inconsistencies in the username map functionality when 
    configured on domain member servers. 
Change in Username Map 
Previous Samba releases would only support reading the fully qualified 
username (e.g. DOMAIN\user) from the username map when performing a    
kerberos login from a client.  However, when looking up a map       
entry for a user authenticated by NTLM[SSP], only the login name would be 
used for matches.  This resulted in inconsistent behavior sometimes       
even on the same server.                                            
Samba 3.0.8 obeys the following rules when applying the username 
map functionality:                                               
  * When performing local authentication, the username map is 
    applied to the login name before attempting to authenticate 
    the connection.                                             
  * When relying upon a external domain controller for validating 
    authentication requests, smbd will apply the username map     
    to the fully qualified username (i.e. DOMAIN\user) only   
    after the user has been successfully authenticated.     

Comment 2 Manuel Mitnyan 2005-04-29 19:37:44 UTC
Yes it work very well.

I am very sorry to make you lost your time on RTFM missing from my part.
by the way, I am very impress by the rapidity and the service from
RedHat. Tks again.

Manuel Mitnyan

Note You need to log in before you can comment on or make changes to this bug.