Solaris (8) username length issues.

[Nick Majeran]

Hello,

I've compiled Samba 3.0.4 with Heimdal 0.6.2 and all of the other
trimmings to join and ADS tree, which I have successfully done. Winbind
correctly pulls all of the username and group information from the ADS
tree and all is good.

However...

I seem to be running into a wall with the wonderful Solaris 8 character
username / groupname limit. Usernames with spaces or names longer than 8
characters show up fine when I do a getent [passwd|group], and I can
ch{own,grp} using the GNU versions of those utilities a file to something
like 'Domain Admins' without any trouble.

But, if I do something like:

[myshare]
path = /attach/blah
valid users = "TEAMSTER/Jimmy Hoffa" @"TEAMSTER/Domain Admins"

I will be denied access if:
-- I try to connect as TEAMSTER\Jimmy Hoffa
-- I try to connect as member of the group TEAMSTER\Domain Admins if that
username in the group has a username longer than 8 characters.

I will be granted access if:
-- I create a UNIX user called 'jimmhoff' and put something like
jimmhoff = 'Jimmy Hoffa' in a username.map file.
-- I connect as a Domain Admin that has a username 8 characters or shorter
(with no spaces).

There also seems to be some issues with username.map and reverse mappings
with respect to group membership on the ADS tree, i.e. if "Jimmy Hoffa"
was a member of Domain Admins, and I had it mapped to UNIX user
'jimmhoff', no luck.

And, the ownership and the group settings on the directory are

drwxrwxr-x Jimmy Hoffa Domain Admins 512 Jul 10 15:54 blah

Am I stuck with the limitation or is there something I'm missing??

Thanks for any help.

Nick Majeran

[Dave Hinz]

On 10 Jul 2004 15:50:09 -0700, Nick Majeran <nmajeran@poletown.com> wrote:

>
> I seem to be running into a wall with the wonderful Solaris 8 character
> username / groupname limit. Usernames with spaces or names longer than 8
> characters show up fine when I do a getent [passwd|group], and I can
> ch{own,grp} using the GNU versions of those utilities a file to something
> like 'Domain Admins' without any trouble.

Spaces in usernames (and filenames) will give you more hassle than just
this.

> But, if I do something like:
>
> [myshare]
> path = /attach/blah
> valid users = "TEAMSTER/Jimmy Hoffa" @"TEAMSTER/Domain Admins"
>
> I will be denied access if:
> -- I try to connect as TEAMSTER\Jimmy Hoffa

Maybe you need to escape the spaces in the valid_users above?
Is there a reason you can't authenticate to the Windows domain instead?
Samba should then pass the authentication parameters back to the
PDC (as identified by the domain's WINS server), and then the group and
username rules for Windows should apply, rather than the Unix/Solaris
rules.

> Am I stuck with the limitation or is there something I'm missing??

Try using the windows authentication mechanism (I think it's DOMAIN)
and see if that simplifies your life.

Dave Hinz

[Casper H.S. Dik]

[email]nmajeran@poletown.com[/email] (Nick Majeran) writes:

>I seem to be running into a wall with the wonderful Solaris 8 character
>username / groupname limit. Usernames with spaces or names longer than 8
>characters show up fine when I do a getent [passwd|group], and I can
>ch{own,grp} using the GNU versions of those utilities a file to something
>like 'Domain Admins' without any trouble.

I'm not sure why the Solaris version of the same utilities would
not work with such user names.

Does winbind do any username/group name truncation?

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

[Nick Majeran]

Dave Hinz <DaveHinz@spamcop.net> wrote in message news:<2lbho0Fb92e8U2@uni-berlin.de>...

> Spaces in usernames (and filenames) will give you more hassle than just
> this.

Yes..overall Linux seems a little more gracious when it comes to this,
but alas I'm stuck with Solaris for this project.

>

> > But, if I do something like:
> >
> > [myshare]
> > path = /attach/blah
> > valid users = "TEAMSTER/Jimmy Hoffa" @"TEAMSTER/Domain Admins"
> >
> > I will be denied access if:
> > -- I try to connect as TEAMSTER\Jimmy Hoffa

>
> Maybe you need to escape the spaces in the valid_users above?
> Is there a reason you can't authenticate to the Windows domain instead?
> Samba should then pass the authentication parameters back to the
> PDC (as identified by the domain's WINS server), and then the group and
> username rules for Windows should apply, rather than the Unix/Solaris
> rules.

That's what I thought as well. As I mentioned, I have the security
setup such that it is authenticating to an Active Directory tree, and
Winbind is populating the passwd and group files with the proper
information from the Active Directory tree.

This is my smb.conf setup at the moment:
[global]

workgroup = TEAMSTER
netbios name = WOODWARD
realm = TEAMSTER.TESTDOM.COM
server string = Samba 3.0.4
security = ads
log level = 3 passdb:5 auth:10 winbind:2
syslog = 0
log file = /usr/local/samba/var/%m
max log size = 100
encrypt passwords = yes
password server = detroit.teamster.testdom.com
idmap uid = 10000-20000
idmap gid = 10000-20000
name resolve order = hosts bcast
smb ports = 139 445
wins server = 10.1.31.2
winbind enum users = yes
winbind enum groups = yes
winbind separator = /
winbind use default domain = yes
username map = /usr/local/samba/lib/user.map

And this is the error I'm getting when I try and map to the share.

[2004/07/10 18:04:01, 3] smbd/sesssetup.c:reply_spnego_kerberos(180)
Ticket name is [Jimmy\ [email]Hoffa@TEAMSTER.TESTDOM.COM[/email]]
[2004/07/10 18:04:01, 10] auth/auth_util.c:auth_add_user_script(74)
auth_add_user_script: no 'add user script'. Asking winbindd
[2004/07/10 18:04:01, 5] auth/auth_util.c:auth_add_user_script(81)
auth_add_user_script: winbindd_create_user() failed
[2004/07/10 18:04:01, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username TEAMSTER/Jimmy\ Hoffa is invalid on this system
[2004/07/10 18:04:01, 3] smbd/error.c:error_packet(94)
error string = No such file or directory
[2004/07/10 18:04:01, 3] smbd/error.c:error_packet(118)
error packet at smbd/sesssetup.c(252) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

> Try using the windows authentication mechanism (I think it's DOMAIN)
> and see if that simplifies your life.

Actually, that brings up another question. I haven't tested my PAM
setup to work with Winbind (I have verified that Winbind works), is a
functioning PAM the missing link? I didn't really think I needed it
at this moment, as I wasn't concerned with local logins using the
Active Directory tree.

Thanks again.

-- Nick Majeran

[Nick Majeran]

Casper H.S. Dik <Casper.Dik@Sun.COM> wrote in message news:<40f101ed$0$36861$e4fe514c@news.xs4all.nl>...

> [email]nmajeran@poletown.com[/email] (Nick Majeran) writes:
>

> >I seem to be running into a wall with the wonderful Solaris 8 character
> >username / groupname limit. Usernames with spaces or names longer than 8
> >characters show up fine when I do a getent [passwd|group], and I can
> >ch{own,grp} using the GNU versions of those utilities a file to something
> >like 'Domain Admins' without any trouble.

>
> I'm not sure why the Solaris version of the same utilities would
> not work with such user names.
>
> Does winbind do any username/group name truncation?
>
> Casper

Nope, here's some truncated output from getent passwd:
....
Mike Hensley:x:10064:10000:Mike Hensley:/home/Mike Hensley:/bin/false
Nick Majeran:x:10155:10000:Nick Majeran:/home/Nick Majeran:/bin/false
....

and also from getent group:
Sheet Metal:x:10013:
Domain Admins:x:10003:nmajeran,System Replication,Nick Majeran

I have idmap uid = 10000-20000 and idmap gid = 10000-20000 set in smb.conf.

[Dave Hinz]

On 11 Jul 2004 06:11:53 -0700, Nick Majeran <nmajeran@poletown.com> wrote:

> Dave Hinz <DaveHinz@spamcop.net> wrote in message news:<2lbho0Fb92e8U2@uni-berlin.de>...

>> Spaces in usernames (and filenames) will give you more hassle than just
>> this.

>
> Yes..overall Linux seems a little more gracious when it comes to this,
> but alas I'm stuck with Solaris for this project.

The problem is the spaces, not the OS. a home account like
/export/home/Nick Majeran/ is going to cause you to need to escape
that space _every_ _time_ you do something with that directory. A
policy of "no spaces in usernames" would be good, if you can't swing that
at least tr it to an underscore in the unix system.

>> Maybe you need to escape the spaces in the valid_users above?

>
> That's what I thought as well. As I mentioned, I have the security
> setup such that it is authenticating to an Active Directory tree, and
> Winbind is populating the passwd and group files with the proper
> information from the Active Directory tree.

Why do you need valid users list in the sb.conf for an AD lookup? Or
did I miss something here (which is possible, I get to integrate to
AD next so I haven't been there yet).

> This is my smb.conf setup at the moment:
> [global]
>
> server string = Samba 3.0.4

Might want to turn off the version number in there, for obscurity
reasons...

> username map = /usr/local/samba/lib/user.map

Can you map him to "Jimmy_Hoffa" instead of "Jimmy Hoffa" in this file,
and change his passwd entry accordingly?

> [2004/07/10 18:04:01, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
> Username TEAMSTER/Jimmy\ Hoffa is invalid on this system

If that isn't it, it's at least logical. I've been perfectly logical and
wrong before, though. Never had spaces in usernames to contend with...

> Actually, that brings up another question. I haven't tested my PAM
> setup to work with Winbind (I have verified that Winbind works), is a
> functioning PAM the missing link? I didn't really think I needed it
> at this moment, as I wasn't concerned with local logins using the
> Active Directory tree.

Good question. Let's see if the space thing gets you where you need
to be, otherwise maybe we'll both learn this at the same time. I need
to do so soon anyway.

Dave Hinz

[Casper H.S. Dik]

[email]nmajeran@poletown.com[/email] (Nick Majeran) writes:

>Casper H.S. Dik <Casper.Dik@Sun.COM> wrote in message news:<40f101ed$0$36861$e4fe514c@news.xs4all.nl>...

>> [email]nmajeran@poletown.com[/email] (Nick Majeran) writes:
>>

>> >I seem to be running into a wall with the wonderful Solaris 8 character
>> >username / groupname limit. Usernames with spaces or names longer than 8
>> >characters show up fine when I do a getent [passwd|group], and I can
>> >ch{own,grp} using the GNU versions of those utilities a file to something
>> >like 'Domain Admins' without any trouble.

>>
>> I'm not sure why the Solaris version of the same utilities would
>> not work with such user names.
>>
>> Does winbind do any username/group name truncation?
>>
>> Casper

>Nope, here's some truncated output from getent passwd:
>...
>Mike Hensley:x:10064:10000:Mike Hensley:/home/Mike Hensley:/bin/false
>Nick Majeran:x:10155:10000:Nick Majeran:/home/Nick Majeran:/bin/false
>...

>and also from getent group:
>Sheet Metal:x:10013:
>Domain Admins:x:10003:nmajeran,System Replication,Nick Majeran

>I have idmap uid = 10000-20000 and idmap gid = 10000-20000 set in smb.conf.

So what problems do you have with Solaris chown?

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

[Nick Majeran]

> >>

> >> I'm not sure why the Solaris version of the same utilities would
> >> not work with such user names.
> >>
> >> Does winbind do any username/group name truncation?
> >>
> >> Casper

>

> >Nope, here's some truncated output from getent passwd:
> >...
> >Mike Hensley:x:10064:10000:Mike Hensley:/home/Mike Hensley:/bin/false
> >Nick Majeran:x:10155:10000:Nick Majeran:/home/Nick Majeran:/bin/false
> >...

>

> >and also from getent group:
> >Sheet Metal:x:10013:
> >Domain Admins:x:10003:nmajeran,System Replication,Nick Majeran

>

> >I have idmap uid = 10000-20000 and idmap gid = 10000-20000 set in smb.conf.

>
> So what problems do you have with Solaris chown?
>

My apologies. For whatever reason, the first few times I attempted to
chown/chgrp files to owners/groups that included spaces, the operation
would hang miserably. However, when I tried the same operation with
the GNU version of said utility, it worked without hanging.

Later when I attempted a similar operation with the native Solaris
chown/chgrp utils, they worked fine. I assume this was an issue with
winbind, rather than the native Sun utilities.

Again, my apologies. My other Samba issues are mostly resolved now,
but I had to scrap winbind.

Thank you.

-- Nick Majeran

[Michael Paoli]

If you want to avoid all kinds of nasty problems and
compatibility issues with user and/or
group names, the names should be composed as follows:
at least 3, but not more than 8 characters in length,
first character a lowercase alphabetic
all remaining characters are lowercase alphabetic and/or
decimal digits ...
and yes, from the ASCII character set.
It's likely part of the POSIX standard, ... and it's been that way
at least as far back as UNIX version 7 circa 1979.

[email]nmajeran@poletown.com[/email] (Nick Majeran) wrote in message news:<a9b1f39b.0407101450.48f2f33@posting.google.c om>...

> Hello,
>
> I've compiled Samba 3.0.4 with Heimdal 0.6.2 and all of the other
> trimmings to join and ADS tree, which I have successfully done. Winbind
> correctly pulls all of the username and group information from the ADS
> tree and all is good.
>
> However...
>
> I seem to be running into a wall with the wonderful Solaris 8 character
> username / groupname limit. Usernames with spaces or names longer than 8
> characters show up fine when I do a getent [passwd|group], and I can
> ch{own,grp} using the GNU versions of those utilities a file to something
> like 'Domain Admins' without any trouble.
>
> But, if I do something like:
>
> [myshare]
> path = /attach/blah
> valid users = "TEAMSTER/Jimmy Hoffa" @"TEAMSTER/Domain Admins"
>
> I will be denied access if:
> -- I try to connect as TEAMSTER\Jimmy Hoffa
> -- I try to connect as member of the group TEAMSTER\Domain Admins if that
> username in the group has a username longer than 8 characters.
>
> I will be granted access if:
> -- I create a UNIX user called 'jimmhoff' and put something like
> jimmhoff = 'Jimmy Hoffa' in a username.map file.
> -- I connect as a Domain Admin that has a username 8 characters or shorter
> (with no spaces).
>
> There also seems to be some issues with username.map and reverse mappings
> with respect to group membership on the ADS tree, i.e. if "Jimmy Hoffa"
> was a member of Domain Admins, and I had it mapped to UNIX user
> 'jimmhoff', no luck.
>
> And, the ownership and the group settings on the directory are
>
> drwxrwxr-x Jimmy Hoffa Domain Admins 512 Jul 10 15:54 blah
>
> Am I stuck with the limitation or is there something I'm missing??
>
> Thanks for any help.
>
> Nick Majeran