Why do you prefix the username with the domain and "+" sign ?
I do auth through PAM + Winbind/Kerberos to a real Active Directory (not a Samba domain master) and I don't have to add the domain prefix so my usernames are simply the login part.
You'll need to configure Kerberos though to make this work but this is in a real AD scenario, not sure what to do with a Samba domain.
Here is my smb.conf if it can help :
[global] security = ads realm = <my AD domain> workgroup = <my AD short domain name> idmap uid = 10000-20000 idmap gid = 10000-20000 idmap config * :backend =rid idmap config * :base_rid = 0 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes winbind refresh tickets = yes restrict anonymous = 2 domain master = no local master = no preferred master = no os level = 0 kerberos method = system keytab
Regards, Walid Moghrabi
TRAVAUX.COM BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403 13591 AIX EN PROVENCE CEDEX 3
----- Mail original -----
De: "Joost Rohde" <j.rohde@bd8.nl> À: x2go-dev@lists.x2go.org Envoyé: Mardi 20 Mars 2018 11:22:40 Objet: Re: [X2Go-Dev] Effective username not correct in Session ID because of plus sign in user names (Windows AD / Samba4)
On 20-03-18 11:04, Stefan Baur wrote:
Am 20.03.2018 um 10:56 schrieb Mihai Moldovan:
There are also problems with backslashes and other characters in user names.
They originate from a new sanitization feature in X2Go Server that drops characters not deemed suitable for a username.
A plus sign might not be part of the allowed character set, which would explain this behavior.
We've had such an discussion before and I'm still not completely sure what to do with it. It sounded like sanitization was a good idea at first, but seeing it causes problems often (well, for AD and NIS users only most of the time), maybe I should rework this and just accept any input.
Not sure if that is a smart idea, though. Maybe we could add a config variable X2GO_ALLOW_IN_USERNAME, so admins could adapt it to their needs, yet it wouldn't be our fault if they shoot themselves in the foot with it? Ship with a sane default (like we do now) and add a proper description in the comments, everything else is up to the admin.
Kind Regards, Stefan Baur
Googling around a bit i think allowing just '\' and '+' would suffice. A backslash is the default winbind separator *, and a plus sign very common to use. I didn't see any other characters used (yet), but making it a config variable would indeed help for these rare cases and gives admins some flexibility.
Best, Joost
x2go-dev mailing list x2go-dev@lists.x2go.org https://lists.x2go.org/listinfo/x2go-dev
DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you