ive upgraded to samba 3.0.6 (from 3.0.5) and it seems that it has some issues with username map. i use username map = /etc/samba/smbusers which maps NT domain users to local users in form: zbych = PWDNT\zbyszek with samba 3.0.5 everything works as expected, domain user zbyszek gets access to samba as zbych. with samba 3.0.6 though, it looks as if smbusers were simply ignored. domain user zbyszek gets connected as PWDNT\zbyszek and in turn does not get zbych's permission to access shares. downgrade to 3.0.5 resolves the issue.
from samba 3.0.6 Changelog: "Dont always uppercase 'username map'" maybe uppercase/lowercase misspell?
hmm i tried these combinations: zbych = pwdnt/zbyszek zbych = PWDNT/zbyszek zbych = "PWDNT\zbyszek" zbych = PWDNT\zbyszek what else would you suggest to try ?
grunf! :-) in samba-3.0.6-r4, we included a pre-3.0.7 winbind patch. So, your issue is not a bug, but a feature ;-) what is your winbind conf? with a 'testparm -v -s' you obtain then _full_ samba conf: search for a parameter called 'winbind separator': this will be the separator between domain and user part in smbuser. Anyway (since I don't use it myself): are you sure you need the domain part also? this should be taken from smb.conf...
hmm ive upgraded to latest ebuild od samba (3.0.7), the problem is still there. i tried '/' instead of '\' just for test. with samba 3.0.5 the entries with '\' work like a charm. i also tried changing 'winbind enable local accounts' from 'No' to 'Yes' but it didnt help neither. as usual downgrade to 3.0.5 resolves the issue :\ awh and domain name must be in smbusers since i also have local users whose logins are exactly the same as in domain.
if it's nothing that can be solved with some conf tweak like the use of '+' for the separator, seems like it's an upstream change in standard behaviour. Maybe you should open a bug in https://bugzilla.samba.org, since 3.0.5 has some open flaws (in security also) that suggest to upgrade to latest stable
new notice: maybe it's a linker issue. I'm writing down 3.0.7-r1, which should allow better libraries behaviour. It should be released in an our via rsync. Let me know if this resolves your case
just tried. samba-3.0.7-r1 should resolve this. Reopen if needed
nope it did not help at all :\ i 'just' emerged samba 3.0.7-r1, is there anything i'd have to do to properly upgrade it ?
could you post your 'emerge info'? Anyway, could you give me a couple of examples of the reason you have to specify the domain part?
emerge info: Portage 2.0.50-r11 (default-x86-2004.0, gcc-3.3.4, glibc-2.3.3.20040420-r1, 2.4.26-gentoo-r6) ================================================================= System uname: 2.4.26-gentoo-r6 i686 Pentium III (Coppermine) Gentoo Base System version 1.4.16 distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=pentium3 -O3 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium3 -O3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache distcc sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror http://trumpetti.atm.tut.fi/gentoo/" MAKEOPTS="-j16" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://62.233.139.51/gentoo-portage" USE="X apm arts avi berkdb bitmap-fonts chroot crypt encode foomaticdb gif gpm gtk2 imlib jpeg libg++ libwww mad mikmod mmx mpeg ncurses oggvorbis opengl pam pdflib perl pic png python qt quicktime readline sdl slang spell ssl svga tcpd x86 xmms xprint xv zlib" there is no reason to specify domain. i just showed example entries that work with samba 3.0.5 and dont with 3.0.6 and up. i tried using zbych = zbyszek or doli=doli but in samba logfile: - there are errors about not finding home directory of user PWDNT\user for [home] share - domain user is being connected to samba as domain user and not being mapped to local user i just want it to work but it just wont...
additional note: after tweaking samba conf files am at a point where i can map domain users to local users - without using domainname in smbusers: dolec = doli (doli is a PWDNT\doli user) i can not map domain user to local user with same login name though. using doli = doli does not work (log: connect to service samba initially as user PWDNT\doli). neither does doli = PWDNT\doli (as it used to work in samba 3.0.5)
do you guys have any ideas how to make it work? i fear of being hacked through samba ;P
All tests I made were successful. I'm using winbind for this, and username map is followed. From samba upstream Release Info, username map behaviour changed: for example, I read 'BUG 1297: Prevent map_username() from being called twice during logon'. _If_ this was the reason in 3.0.5 all was ok, now this is deprecated. Another thing to notice: samba auth is strictly tied to pam conf (just a reminder :-) ) Can you post your samba conf?
hmm but were you successful in mapping domain user x to local user x (i mean exact login name) ? i am able to map domain users to local users but with different login names :\ here's my samba.conf: [global] unix charset = ISO8859-2 display charset = ISO8859-2 workgroup = PWDNT security = DOMAIN map to guest = Bad User password server = PWDNTPRIMARY username map = /etc/samba/smbusers client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No log level = 2 log file = /var/log/samba/log.%m max log size = 500 max open files = 1000 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No preferred master = No local master = No domain master = No ldap ssl = no idmap uid = 45000-60000 idmap gid = 45000-60000 winbind enable local accounts = No hosts allow = xxx [samba] comment = samba mia path = /lvm/samba admin users = doli read only = No guest ok = Yes ... and other shares ;) my samba PAM config: auth required pam_smbpass.so nodelay account required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf please help :\
i have some good news, this is from my bugreport at samba.org: https://bugzilla.samba.org/show_bug.cgi?id=1772 jerry@samba.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From jerry@samba.org 2004-10-25 10:46 ------- This is fixed in the upcoming 3.0.8. Please test the latest SAMBA_3_0 svn code or wait for 3.0.8pre2 --
very good news :) i saw the anouncement for 3.0.8pre1 some time ago, when pre2 comes out i'll make some testing ebuild, so you can check.. Anyway, thank you very much for the help !
hello everybody, i have finally tested the new samba 3.0.8 ebuild and now samba works like a charm! (that is as 3.0.5 worked ;)) thanks everybody,
_VERY_ good news! :-)
