[Samba] still about winbind idmap customization
Jerome Haltom
wasabi at larvalstage.net
Wed Jul 18 16:35:50 GMT 2007
I would like to see some more options for this as well. I don't really
like the only option being the Windows user-name form of SHORTDOM\user.
I wouldn't mind FULL.REALM\user. Only having Windows short name as an
option really doesn't make integration into non-Windows realms very
easy.
I've expressed this on the list before.
On Wed, 2007-07-18 at 16:11 +0200, miolinux wrote:
> Hi,
>
> i've read the thread about idmap customization, i'm planning an
> integration between windows AD and MIT kerberos, and i was very
> interested on the subject.
>
> Now we are authenticating windows AD user against mit kerberos realm
> with a cross-domain trust, and with windows client everythings works.
>
> Ie. Authentication is done with kerberos mit and authorization is done
> with windows AD.
>
> Now i'm working to let linux computers authenticate users. What i need
> it to Authenticate user agains mit kerberos with pam_krb5 (user at REALM),
> and get authorization from windows AD (DOMAIN+user).
>
> The main problem is that i can force user to append @REALM for
> pam_krb5, but i need user to be in form "user" and not "DOMAIN+user"
> for a domain that is not the "workgroup" of the computer.
>
> Would it be much work to add a parameter to specify windbind default
> domain to be different from computer workgroup?
>
> even if a complete customization of user name and group name would be
> preferred a custom default domain could be enought for me.
>
> Is this possible?
>
> Regards,
>
> --
> Miolinux
More information about the samba
mailing list