Foreign Principal Mapping
abartlet at samba.org
Sat Oct 18 21:31:50 GMT 2003
On Sat, 2003-10-18 at 23:47, Benjamin Bennett wrote:
> Hi Folks,
> This is a patch which will allow a samba system acting as a Win2k
> domain member to use the kerberos user mappings in AD.
> So, say you have a samba box as a member of the Win2k domain 'MS'.
> That domain trusts the kerberos realm 'MIT'. If you present a tkt as
> joe at MIT to the samba system, it will lookup a matching
> altSecurityIdentities attribute in AD for the MS domain, and if found
> you are now joe.schmoe at MS or whatever account it got matched to.
> Thanks for all the good work in 3! What it and this patch provide,
> I've been waiting about 2.5yrs to be able to do.
This looks very, very interesting, however there are a few
implementation issues you need to look at. smbd must not contact the DC
directly - we need it to ask winbindd. This allows winbindd to cache
the connection to the DC, as well as the resultant replies.
What we really should be doing here is:
- For 'normal' logins, actually use the data contained in the PAC
- For 'mapped' logins, ask the ADS server for the equivalent data (SIDs
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031019/98112799/attachment.bin
More information about the samba-technical