Effective username not correct in Session ID because of plus sign in user names (Windows AD / Samba4)
Hi All,
I've encountered a problem with the latest ppa packages (stable: 4.1.0.0-0~1517~ubuntu14.04.1). My system runs a samba4 server and my users are named:
"DOMAIN+user" (the plus sign is a literal plus / AD style).
When the session ID for x2go is formed/created the plus sign is stripped from the user name apparently. This gives (at least) a problem when changing the state in de DB:
In /usr/share/perl5/X2Go/Server/DB/SQLite3.pm line 403 an attempt is made to get the 'effective' user name, but that will never happen because of the stripped out plus sign. As a consequence sessions are not terminated/suspended/etc.. For now i've made it so my $effective_user == $realuser, but this breaks desktop sharing functionality.
Sort of the same bug was present in earlier versions, but was fixed later on. I've tried to find the script/code where the session id is formed, but could not find it yet. I guess that's where this should be fixed though.
Is it possible to get support for these style of user names?!
Best, Joost
- On 03/20/2018 10:29 AM, j.rohde@nederlandlive.nl wrote:
Hi All,
I've encountered a problem with the latest ppa packages (stable: 4.1.0.0-0~1517~ubuntu14.04.1). My system runs a samba4 server and my users are named:
"DOMAIN+user" (the plus sign is a literal plus / AD style).
When the session ID for x2go is formed/created the plus sign is stripped from the user name apparently. This gives (at least) a problem when changing the state in de DB:
In /usr/share/perl5/X2Go/Server/DB/SQLite3.pm line 403 an attempt is made to get the 'effective' user name, but that will never happen because of the stripped out plus sign. As a consequence sessions are not terminated/suspended/etc.. For now i've made it so my $effective_user == $realuser, but this breaks desktop sharing functionality.
Sort of the same bug was present in earlier versions, but was fixed later on. I've tried to find the script/code where the session id is formed, but could not find it yet. I guess that's where this should be fixed though.
Is it possible to get support for these style of user names?!
There are also problems with backslashes and other characters in user names.
They originate from a new sanitization feature in X2Go Server that drops characters not deemed suitable for a username.
A plus sign might not be part of the allowed character set, which would explain this behavior.
We've had such an discussion before and I'm still not completely sure what to do with it. It sounded like sanitization was a good idea at first, but seeing it causes problems often (well, for AD and NIS users only most of the time), maybe I should rework this and just accept any input.
Not sure if that is a smart idea, though.
Mihai
Am 20.03.2018 um 10:56 schrieb Mihai Moldovan:
There are also problems with backslashes and other characters in user names.
They originate from a new sanitization feature in X2Go Server that drops characters not deemed suitable for a username.
A plus sign might not be part of the allowed character set, which would explain this behavior.
We've had such an discussion before and I'm still not completely sure what to do with it. It sounded like sanitization was a good idea at first, but seeing it causes problems often (well, for AD and NIS users only most of the time), maybe I should rework this and just accept any input.
Not sure if that is a smart idea, though.
Maybe we could add a config variable X2GO_ALLOW_IN_USERNAME, so admins could adapt it to their needs, yet it wouldn't be our fault if they shoot themselves in the foot with it? Ship with a sane default (like we do now) and add a proper description in the comments, everything else is up to the admin.
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
On 20-03-18 11:04, Stefan Baur wrote:
Am 20.03.2018 um 10:56 schrieb Mihai Moldovan:
There are also problems with backslashes and other characters in user names.
They originate from a new sanitization feature in X2Go Server that drops characters not deemed suitable for a username.
A plus sign might not be part of the allowed character set, which would explain this behavior.
We've had such an discussion before and I'm still not completely sure what to do with it. It sounded like sanitization was a good idea at first, but seeing it causes problems often (well, for AD and NIS users only most of the time), maybe I should rework this and just accept any input.
Not sure if that is a smart idea, though. Maybe we could add a config variable X2GO_ALLOW_IN_USERNAME, so admins could adapt it to their needs, yet it wouldn't be our fault if they shoot themselves in the foot with it? Ship with a sane default (like we do now) and add a proper description in the comments, everything else is up to the admin.
Kind Regards, Stefan Baur
Googling around a bit i think allowing just '\' and '+' would suffice. A backslash is the default winbind separator *, and a plus sign very common to use. I didn't see any other characters used (yet), but making it a config variable would indeed help for these rare cases and gives admins some flexibility.
Best, Joost
Why do you prefix the username with the domain and "+" sign ?
I do auth through PAM + Winbind/Kerberos to a real Active Directory (not a Samba domain master) and I don't have to add the domain prefix so my usernames are simply the login part.
You'll need to configure Kerberos though to make this work but this is in a real AD scenario, not sure what to do with a Samba domain.
Here is my smb.conf if it can help :
[global] security = ads realm = <my AD domain> workgroup = <my AD short domain name> idmap uid = 10000-20000 idmap gid = 10000-20000 idmap config * :backend =rid idmap config * :base_rid = 0 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes winbind refresh tickets = yes restrict anonymous = 2 domain master = no local master = no preferred master = no os level = 0 kerberos method = system keytab
Regards, Walid Moghrabi
TRAVAUX.COM BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403 13591 AIX EN PROVENCE CEDEX 3
----- Mail original -----
De: "Joost Rohde" <j.rohde@bd8.nl> À: x2go-dev@lists.x2go.org Envoyé: Mardi 20 Mars 2018 11:22:40 Objet: Re: [X2Go-Dev] Effective username not correct in Session ID because of plus sign in user names (Windows AD / Samba4)
On 20-03-18 11:04, Stefan Baur wrote:
Am 20.03.2018 um 10:56 schrieb Mihai Moldovan:
There are also problems with backslashes and other characters in user names.
They originate from a new sanitization feature in X2Go Server that drops characters not deemed suitable for a username.
A plus sign might not be part of the allowed character set, which would explain this behavior.
We've had such an discussion before and I'm still not completely sure what to do with it. It sounded like sanitization was a good idea at first, but seeing it causes problems often (well, for AD and NIS users only most of the time), maybe I should rework this and just accept any input.
Not sure if that is a smart idea, though. Maybe we could add a config variable X2GO_ALLOW_IN_USERNAME, so admins could adapt it to their needs, yet it wouldn't be our fault if they shoot themselves in the foot with it? Ship with a sane default (like we do now) and add a proper description in the comments, everything else is up to the admin.
Kind Regards, Stefan Baur
Googling around a bit i think allowing just '\' and '+' would suffice. A backslash is the default winbind separator *, and a plus sign very common to use. I didn't see any other characters used (yet), but making it a config variable would indeed help for these rare cases and gives admins some flexibility.
Best, Joost
x2go-dev mailing list x2go-dev@lists.x2go.org https://lists.x2go.org/listinfo/x2go-dev
DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you
On 20-03-18 11:04, Stefan Baur wrote:
Am 20.03.2018 um 10:56 schrieb Mihai Moldovan:
There are also problems with backslashes and other characters in user names.
They originate from a new sanitization feature in X2Go Server that drops characters not deemed suitable for a username.
A plus sign might not be part of the allowed character set, which would explain this behavior.
We've had such an discussion before and I'm still not completely sure what to do with it. It sounded like sanitization was a good idea at first, but seeing it causes problems often (well, for AD and NIS users only most of the time), maybe I should rework this and just accept any input.
Not sure if that is a smart idea, though. Maybe we could add a config variable X2GO_ALLOW_IN_USERNAME, so admins could adapt it to their needs, yet it wouldn't be our fault if they shoot themselves in the foot with it? Ship with a sane default (like we do now) and add a proper description in the comments, everything else is up to the admin.
Kind Regards, Stefan Baur
Googling around a bit i think allowing just '\' and '+' would suffice. A backslash is the default winbind separator *, and a plus sign very common to use. I didn't see any other characters used (yet), but making it a config variable would indeed help for these rare cases and gives admins some flexibility.
Best, Joost
-
j.rohde@nederlandlive.nl -
Joost Rohde -
Mihai Moldovan -
Stefan Baur -
Walid MOGHRABI