winbind and white spaces on user/group names

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

winbind and white spaces on user/group names

Samba - General mailing list
Hi Samba Folks,

we use Ubuntu 16.04 LTS with Samba 4.3.11 (from distribution). Our ADS
is Windows 2008 R2. We want to use Linux as a squid proxy with domain
auth (SSO).
Problem is, that most of the usernames have a white space and it seems
that winbind wont handle it.

I get this on my cache log with /usr/lib/squid/ext_wbinfo_group_acl
(wbinfo_group.pl) script.

Got max Internet-Access from squid
User:  -max-
Group: -Internet-Accesss-
SID:   -S-1-5-21-3122064890-3824127986-1965815265-2719-
GID:   -10004-
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user max
Sending ERR to squid

Problem is, that username is not max, it is "max mustermann".

You can see, that the user sid is well resolved (how ever it is
possible). Users with no white spaces works fine in squid.

Same problem with wbinfo:

$ wbinfo -u|grep max
max mustermann

but when I try to get user info or user group info:

$ wbinfo -i "max mustermann"
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user max mustermann

$ wbinfo -r "max mustermann"
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user max mustermann

And  when the username contains no white space, it works well:

$ wbinfo -i Administrator
administrator:*:10000:10005:Administrator:/home/MYDOM/administrator:/bin/false

$ wbinfo -r Administrator
10005
10006
10007
10008
10009
10010
10011
10012
10013
10014
10015
10016
10017
10018
10019
10020
10021
10022
10001
10000

$ wbinfo -t kinit
checking the trust secret for domain MYDOM via RPC calls succeeded

Any thing I can do? Is there any needed smb.conf param, which can help?
I have found many ppl on internet, which have suffered from the same
problem, but I found no solution for my case.

Regards,
Thomas


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: winbind and white spaces on user/group names

Samba - General mailing list
On Tue, 18 Apr 2017 17:47:55 +0200
Thomas Creutz via samba <[hidden email]> wrote:

> Hi Samba Folks,
>
> we use Ubuntu 16.04 LTS with Samba 4.3.11 (from distribution). Our
> ADS is Windows 2008 R2. We want to use Linux as a squid proxy with
> domain auth (SSO).
> Problem is, that most of the usernames have a white space and it
> seems that winbind wont handle it.
>
> I get this on my cache log with /usr/lib/squid/ext_wbinfo_group_acl
> (wbinfo_group.pl) script.
>
> Got max Internet-Access from squid
> User:  -max-
> Group: -Internet-Accesss-
> SID:   -S-1-5-21-3122064890-3824127986-1965815265-2719-
> GID:   -10004-
> failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get groups for user max
> Sending ERR to squid
>
> Problem is, that username is not max, it is "max mustermann".

Are you mixing up the users 'cn' and 'samaccountname' ?

The users 'cn' could be 'max mustermann', but the users
'samaccountname' could well be 'max', in fact it can be anything, upto
20 characters long and without spaces.

So the question should be, what is squid asking for ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: winbind and white spaces on user/group names

Samba - General mailing list
Hello Penny

Am 18.04.2017 um 18:27 schrieb Rowland Penny via samba:
> On Tue, 18 Apr 2017 17:47:55 +0200
>
> Are you mixing up the users 'cn' and 'samaccountname' ?
>
> The users 'cn' could be 'max mustermann', but the users
> 'samaccountname' could well be 'max', in fact it can be anything, upto
> 20 characters long and without spaces.

sorry but the sAMAccountName has the white spaces too:

$ ldapsearch -h server -x -LLL -b "dc=mydom,dc=de" -D "cn=Proxy
Benutzer,cn=Users,dc=mydom,dc=de" -W "cn=max mustermann" sAMAccountName
| grep sAMAccountName
Enter LDAP Password:
sAMAccountName: Max Mustermann

I know it is ugly, but it is not born on my idea. But MS also dont have
any problems with it. Is it not really supported in samba?

Regards
Thomas

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: winbind and white spaces on user/group names

Samba - General mailing list
On Wed, 19 Apr 2017 16:35:18 +0200
Thomas Creutz via samba <[hidden email]> wrote:

Hi Creutz,

>
> I know it is ugly, but it is not born on my idea. But MS also dont
> have any problems with it. Is it not really supported in samba?
>
> Regards
> Thomas
>

It is actually a Unix thing and doesn't really have anything to do with
Samba.

A quick google turned this up:

http://www.linuxquestions.org/questions/linux-networking-3/squid-ldap-auth-there-is-a-space-in-user-name-4175534074/

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: winbind and white spaces on user/group names

Samba - General mailing list
Am 19.04.2017 um 17:11 schrieb Rowland Penny:
>> I know it is ugly, but it is not born on my idea. But MS also dont
>> have any problems with it. Is it not really supported in samba?
> It is actually a Unix thing and doesn't really have anything to do with
> Samba.

I can't confirm fully - linux can handle spaces as well as windows can
(take as example a look on file systems from win and linux). Its more
program specific like wbinfo.
Thats why I want to come back to the wbinfo command: how can I query
with it for username with the space. Maybe, when I get the wbinfo
command working - it will also work in squid...

> A quick google turned this up:
>
> http://www.linuxquestions.org/questions/linux-networking-3/squid-ldap-auth-there-is-a-space-in-user-name-4175534074/
>

thanks for the hint - but the ldap querys are really urgly, because you
have to match the memberof with the ou at the same time. I had it
running, but want to switch to winbind, because it is 1. little bit more
secure (ntlm/kerberos) and more easy (to complicated ldap querys).

Thomas

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: winbind and white spaces on user/group names

Samba - General mailing list
In reply to this post by Samba - General mailing list
Am 19.04.2017 um 17:11 schrieb Rowland Penny:
>> I know it is ugly, but it is not born on my idea. But MS also dont
>> have any problems with it. Is it not really supported in samba?
> It is actually a Unix thing and doesn't really have anything to do with
> Samba.

I can't confirm fully - linux can handle spaces as well as windows can
(take as example a look on file systems from win and linux). Its more
program specific like wbinfo.
Thats why I want to come back to the wbinfo command: how can I query
with it for username with the space. Maybe, when I get the wbinfo
command working - it will also work in squid...

> A quick google turned this up:
>
> http://www.linuxquestions.org/questions/linux-networking-3/squid-ldap-auth-there-is-a-space-in-user-name-4175534074/
>

thanks for the hint - but the ldap querys are really urgly, because you
have to match the memberof with the ou at the same time. I had it
running, but want to switch to winbind, because it is 1. little bit more
secure (ntlm/kerberos) and more easy (to complicated ldap querys).

Thomas

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...