[X2Go-Dev] Effective username not correct in Session ID because of plus sign in user names (Windows AD / Samba4)

[Walid MOGHRABI]

Why do you prefix the username with the domain and "+" sign ?

I do auth through PAM + Winbind/Kerberos to a real Active Directory (not a Samba domain master) and I don't have to add the domain prefix so my usernames are simply the login part.

You'll need to configure Kerberos though to make this work but this is in a real AD scenario, not sure what to do with a Samba domain.

Here is my smb.conf if it can help :

[global]
	security = ads
	realm = <my AD domain>
	workgroup = <my AD short domain name>
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	idmap config * :backend  =rid
	idmap config * :base_rid = 0
	winbind enum users = yes
	winbind enum groups = yes
	template homedir = /home/%U
	template shell = /bin/bash
	client use spnego = yes
	client ntlmv2 auth = yes
	encrypt passwords = yes
	winbind use default domain = yes
	winbind refresh tickets = yes
	restrict anonymous = 2
	domain master = no
	local master = no
	preferred master = no
	os level = 0
	kerberos method = system keytab



Regards,
Walid Moghrabi

TRAVAUX.COM
BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403
13591 AIX EN PROVENCE CEDEX 3

----- Mail original ----- 

De: "Joost Rohde" <j.rohde at bd8.nl> 
À: x2go-dev at lists.x2go.org 
Envoyé: Mardi 20 Mars 2018 11:22:40 
Objet: Re: [X2Go-Dev] Effective username not correct in Session ID because of plus sign in user names (Windows AD / Samba4) 

On 20-03-18 11:04, Stefan Baur wrote: 
> Am 20.03.2018 um 10:56 schrieb Mihai Moldovan: 
>> There are also problems with backslashes and other characters in user names. 
>> 
>> They originate from a new sanitization feature in X2Go Server that drops 
>> characters not deemed suitable for a username. 
>> 
>> A plus sign might not be part of the allowed character set, which would explain 
>> this behavior. 
>> 
>> We've had such an discussion before and I'm still not completely sure what to do 
>> with it. It sounded like sanitization was a good idea at first, but seeing it 
>> causes problems often (well, for AD and NIS users only most of the time), maybe 
>> I should rework this and just accept any input. 
>> 
>> 
>> Not sure if that is a smart idea, though. 
> Maybe we could add a config variable X2GO_ALLOW_IN_USERNAME, so admins 
> could adapt it to their needs, yet it wouldn't be our fault if they 
> shoot themselves in the foot with it? 
> Ship with a sane default (like we do now) and add a proper description 
> in the comments, everything else is up to the admin. 
> 
> Kind Regards, 
> Stefan Baur 

Googling around a bit i think allowing just '\' and '+' would suffice. 
A backslash is the default winbind separator *, and a plus sign very 
common to use. 
I didn't see any other characters used (yet), but making it a config 
variable would indeed help for these rare cases and gives admins some 
flexibility. 

Best, 
Joost 

* 
https://www.safaribooksonline.com/library/view/using-samba-second/0596002564/re300.html 

_______________________________________________ 
x2go-dev mailing list 
x2go-dev at lists.x2go.org 
https://lists.x2go.org/listinfo/x2go-dev
---
DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you