[Samba] winbind and case sensitivity

Andrew Bartlett abartlet at samba.org
Tue Feb 10 11:32:14 GMT 2004 

On Tue, 2004-02-03 at 23:12, Brian J. Murrell wrote:
> On Tue, 2004-02-03 at 04:11, Andrew Bartlett wrote:
> > The problem is, for a plaintext login, the IMAP server is almost
> > certainly just copying the username internally, so there is almost
> > nothing we can do about it.
> 
> i.e. you mean cyrus imap will just copy and use whatever the user types
> in?

I don't know for sure, but that is how I would expect it to work.

> That is fine.  I don't mind telling all of the users that they _must_
> log in with lowercase letters now, no using caps.  They will then have
> all lowercase imap mailboxes and cyrus will force delivery into
> lowercase mailboxes.
> 
> But the problem then is that when the PDC returns usernames in the
> format "Firstname" (first letter capped), and they log in with
> "firstname", there is no matching account.  

There is a matching account, but not a matching IMAP folder.  I'm
assuming this is what you mean anyway...

> If I could instruct
> winbind(d?) to simply fold the uppercase letters into lowercase, then
> there is an account that matches what the user typed and will work for
> authentication because NT is case insensitive.

Samba will answer to any username, and will return the user-name
*either* per the NT database, or as the user sent it (depending on the
backend).  I would accept a patch that made samba 'forced' to lower
case.  (It would lowercase all output, and force all input to be in
lower case).

> It seems to be that the simplest fix is to ask winbind to force the caps
> into lowercase before giving the info to PAM.

Samba never gives information to PAM, only 'yes/no' on the password.  It
does return information to nss_ldap however.

> > For NTLMSSP based logins (see my patch to cyrus-sasl back in Janurary) I
> > handle this stuff, because we can return the username.
> 
> Interesting.  I will take a look.  But this problem is more general than
> just cyrus imap and having winbind fold the uppercase letters into
> lowercase letters seems like a nice general solution, no?

In some ways it is, but the main issue is in what users enter in logon
boxes...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040210/fc74e011/attachment.bin

More information about the samba mailing list