Foreign Principal Mapping
Andrew Bartlett
abartlet at samba.org
Sat Oct 18 21:31:50 GMT 2003
On Sat, 2003-10-18 at 23:47, Benjamin Bennett wrote:
> Hi Folks,
> This is a patch which will allow a samba system acting as a Win2k
> domain member to use the kerberos user mappings in AD.
>
> So, say you have a samba box as a member of the Win2k domain 'MS'.
> That domain trusts the kerberos realm 'MIT'. If you present a tkt as
> joe at MIT to the samba system, it will lookup a matching
> altSecurityIdentities attribute in AD for the MS domain, and if found
> you are now joe.schmoe at MS or whatever account it got matched to.
>
> Thanks for all the good work in 3! What it and this patch provide,
> I've been waiting about 2.5yrs to be able to do.
This looks very, very interesting, however there are a few
implementation issues you need to look at. smbd must not contact the DC
directly - we need it to ask winbindd. This allows winbindd to cache
the connection to the DC, as well as the resultant replies.
What we really should be doing here is:
- For 'normal' logins, actually use the data contained in the PAC
- For 'mapped' logins, ask the ADS server for the equivalent data (SIDs
etc).
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031019/98112799/attachment.bin
More information about the samba-technical
mailing list