Sammeth Manuel
2018-03-26 08:09:21 UTC
Hi,
sorry for the late reply. I was on vacation last week.
I solved it with the configuration change of Samba Server.
Following parameters have been set in /etc/smb/smb.conf:
template homedir = /home/%U
winbind use default domain = yes
the plus "+" in the username is just shortened and the real username has no plus in it.
It is all about the "\"
The error I got was not so clear, that it is a problem with the backslashes in the username. A hint in the client or elsewhere would be fine.
Mit freundlichen Grüßen/Kind regards
Manuel Sammeth
FIS-ASP GmbH
Phone: +49 (9723) 9188-658 Fax: +49 (9723) 9188-600
Geschäftsführer Robert Schuhmann
Registergericht Schweinfurt HRB 3865
-----Ursprüngliche Nachricht-----
Von: x2go-dev <x2go-dev-***@lists.x2go.org> Im Auftrag von x2go-dev-***@lists.x2go.org
Gesendet: Mittwoch, 21. März 2018 12:00
An: x2go-***@lists.x2go.org
Betreff: x2go-dev Digest, Vol 48, Issue 24
Send x2go-dev mailing list submissions to
x2go-***@lists.x2go.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.x2go.org/listinfo/x2go-dev
or, via email, send a message with subject or body 'help' to
x2go-dev-***@lists.x2go.org
You can reach the person managing the list at
x2go-dev-***@lists.x2go.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of x2go-dev digest..."
Today's Topics:
1. Re: Effective username not correct in Session ID because of
plus sign in user names (Windows AD / Samba4) (Walid MOGHRABI)
----------------------------------------------------------------------
Message: 1
Date: Tue, 20 Mar 2018 18:21:49 +0100 (CET)
From: Walid MOGHRABI <***@servicemagic.eu>
To: Joost Rohde <***@bd8.nl>
Cc: x2go-***@lists.x2go.org
Subject: Re: [X2Go-Dev] Effective username not correct in Session ID
because of plus sign in user names (Windows AD / Samba4)
Message-ID:
<***@servicemagic.eu>
Content-Type: text/plain; charset=utf-8
Why do you prefix the username with the domain and "+" sign ?
I do auth through PAM + Winbind/Kerberos to a real Active Directory (not a Samba domain master) and I don't have to add the domain prefix so my usernames are simply the login part.
You'll need to configure Kerberos though to make this work but this is in a real AD scenario, not sure what to do with a Samba domain.
Here is my smb.conf if it can help :
[global]
security = ads
realm = <my AD domain>
workgroup = <my AD short domain name>
idmap uid = 10000-20000
idmap gid = 10000-20000
idmap config * :backend =rid
idmap config * :base_rid = 0
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
winbind refresh tickets = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
kerberos method = system keytab
Regards,
Walid Moghrabi
TRAVAUX.COM
BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403
13591 AIX EN PROVENCE CEDEX 3
----- Mail original -----
De: "Joost Rohde" <***@bd8.nl>
À: x2go-***@lists.x2go.org
Envoyé: Mardi 20 Mars 2018 11:22:40
Objet: Re: [X2Go-Dev] Effective username not correct in Session ID because of plus sign in user names (Windows AD / Samba4)
could adapt it to their needs, yet it wouldn't be our fault if they
shoot themselves in the foot with it?
Ship with a sane default (like we do now) and add a proper description
in the comments, everything else is up to the admin.
Kind Regards,
Stefan Baur
Googling around a bit i think allowing just '\' and '+' would suffice.
A backslash is the default winbind separator *, and a plus sign very common to use.
I didn't see any other characters used (yet), but making it a config variable would indeed help for these rare cases and gives admins some flexibility.
Best,
Joost
*
https://www.safaribooksonline.com/library/view/using-samba-second/0596002564/re300.html
_______________________________________________
x2go-dev mailing list
x2go-***@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-dev
---
DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you
------------------------------
Subject: Digest Footer
_______________________________________________
x2go-dev mailing list
x2go-***@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-dev
------------------------------
End of x2go-dev Digest, Vol 48, Issue 24
****************************************
sorry for the late reply. I was on vacation last week.
I solved it with the configuration change of Samba Server.
Following parameters have been set in /etc/smb/smb.conf:
template homedir = /home/%U
winbind use default domain = yes
the plus "+" in the username is just shortened and the real username has no plus in it.
It is all about the "\"
The error I got was not so clear, that it is a problem with the backslashes in the username. A hint in the client or elsewhere would be fine.
Mit freundlichen Grüßen/Kind regards
Manuel Sammeth
FIS-ASP GmbH
Phone: +49 (9723) 9188-658 Fax: +49 (9723) 9188-600
Geschäftsführer Robert Schuhmann
Registergericht Schweinfurt HRB 3865
-----Ursprüngliche Nachricht-----
Von: x2go-dev <x2go-dev-***@lists.x2go.org> Im Auftrag von x2go-dev-***@lists.x2go.org
Gesendet: Mittwoch, 21. März 2018 12:00
An: x2go-***@lists.x2go.org
Betreff: x2go-dev Digest, Vol 48, Issue 24
Send x2go-dev mailing list submissions to
x2go-***@lists.x2go.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.x2go.org/listinfo/x2go-dev
or, via email, send a message with subject or body 'help' to
x2go-dev-***@lists.x2go.org
You can reach the person managing the list at
x2go-dev-***@lists.x2go.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of x2go-dev digest..."
Today's Topics:
1. Re: Effective username not correct in Session ID because of
plus sign in user names (Windows AD / Samba4) (Walid MOGHRABI)
----------------------------------------------------------------------
Message: 1
Date: Tue, 20 Mar 2018 18:21:49 +0100 (CET)
From: Walid MOGHRABI <***@servicemagic.eu>
To: Joost Rohde <***@bd8.nl>
Cc: x2go-***@lists.x2go.org
Subject: Re: [X2Go-Dev] Effective username not correct in Session ID
because of plus sign in user names (Windows AD / Samba4)
Message-ID:
<***@servicemagic.eu>
Content-Type: text/plain; charset=utf-8
Why do you prefix the username with the domain and "+" sign ?
I do auth through PAM + Winbind/Kerberos to a real Active Directory (not a Samba domain master) and I don't have to add the domain prefix so my usernames are simply the login part.
You'll need to configure Kerberos though to make this work but this is in a real AD scenario, not sure what to do with a Samba domain.
Here is my smb.conf if it can help :
[global]
security = ads
realm = <my AD domain>
workgroup = <my AD short domain name>
idmap uid = 10000-20000
idmap gid = 10000-20000
idmap config * :backend =rid
idmap config * :base_rid = 0
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
winbind refresh tickets = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
kerberos method = system keytab
Regards,
Walid Moghrabi
TRAVAUX.COM
BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403
13591 AIX EN PROVENCE CEDEX 3
----- Mail original -----
De: "Joost Rohde" <***@bd8.nl>
À: x2go-***@lists.x2go.org
Envoyé: Mardi 20 Mars 2018 11:22:40
Objet: Re: [X2Go-Dev] Effective username not correct in Session ID because of plus sign in user names (Windows AD / Samba4)
There are also problems with backslashes and other characters in user names.
They originate from a new sanitization feature in X2Go Server that
drops characters not deemed suitable for a username.
A plus sign might not be part of the allowed character set, which
would explain this behavior.
We've had such an discussion before and I'm still not completely sure
what to do with it. It sounded like sanitization was a good idea at
first, but seeing it causes problems often (well, for AD and NIS
users only most of the time), maybe I should rework this and just accept any input.
Not sure if that is a smart idea, though.
Maybe we could add a config variable X2GO_ALLOW_IN_USERNAME, so adminsThey originate from a new sanitization feature in X2Go Server that
drops characters not deemed suitable for a username.
A plus sign might not be part of the allowed character set, which
would explain this behavior.
We've had such an discussion before and I'm still not completely sure
what to do with it. It sounded like sanitization was a good idea at
first, but seeing it causes problems often (well, for AD and NIS
users only most of the time), maybe I should rework this and just accept any input.
Not sure if that is a smart idea, though.
could adapt it to their needs, yet it wouldn't be our fault if they
shoot themselves in the foot with it?
Ship with a sane default (like we do now) and add a proper description
in the comments, everything else is up to the admin.
Kind Regards,
Stefan Baur
A backslash is the default winbind separator *, and a plus sign very common to use.
I didn't see any other characters used (yet), but making it a config variable would indeed help for these rare cases and gives admins some flexibility.
Best,
Joost
*
https://www.safaribooksonline.com/library/view/using-samba-second/0596002564/re300.html
_______________________________________________
x2go-dev mailing list
x2go-***@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-dev
---
DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you
------------------------------
Subject: Digest Footer
_______________________________________________
x2go-dev mailing list
x2go-***@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-dev
------------------------------
End of x2go-dev Digest, Vol 48, Issue 24
****************************************