[Samba] winbind idmap customization
Gerald (Jerry) Carter
jerry at samba.org
Fri Jul 6 20:50:01 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gerald (Jerry) Carter wrote:
> Nope. You haven't looked at how much trouble this would
> be in the code. For example, Lookupsid() *always* returns
> the sAMAcountName but LookupName() will resolve a UPN to
> the same SID.
>
> So The conversion is asymetric. UPN->SID->sAMAcountName.
> But canonicalizing on the sAMAccountName does give you a
> symmetic mapping.
>
> Secondly, your 'unix' variant would break with trusted domains.
>
> So yes, it is a bad idea for very real technical reasons.
I should clarify that you can easily convert form UPN
to sAMAcountName and vice versa using the DsCrackNames
calls but this requires a lot of plumbing we don't
have currently and would be a fundamental change in
design which would require a lot of code restabilization.
Or of course you can use LDAP queries but remember that
machines do not have UPNs by default. So what do you
use then....?
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGjqr5IR7qMdg1EfYRAp8cAKCXRYT54CMNBbnYUlRPsuDwErPfLACgoYQ3
7l3fIz4KrkEecX5dPZFDhFA=
=5nEl
-----END PGP SIGNATURE-----
More information about the samba
mailing list