Foreign Principal Mapping

Andrew Bartlett abartlet at
Sat Oct 18 21:31:50 GMT 2003

On Sat, 2003-10-18 at 23:47, Benjamin Bennett wrote:
> Hi Folks,
>    This is a patch which will allow a samba system acting as a Win2k 
> domain member to use the kerberos user mappings in AD.
>    So, say you have a samba box as a member of the Win2k domain 'MS'. 
> That domain trusts the kerberos realm 'MIT'. If you present a tkt as 
> joe at MIT to the samba system, it will lookup a matching 
> altSecurityIdentities attribute in AD for the MS domain, and if found 
> you are now joe.schmoe at MS or whatever account it got matched to.
>    Thanks for all the good work in 3! What it and this patch provide, 
> I've been waiting about 2.5yrs to be able to do.

This looks very, very interesting, however there are a few
implementation issues you need to look at.  smbd must not contact the DC
directly - we need it to ask winbindd.  This allows winbindd to cache
the connection to the DC, as well as the resultant replies.

What we really should be doing here is:  
 - For 'normal' logins, actually use the data contained in the PAC
 - For 'mapped' logins, ask the ADS server for the equivalent data (SIDs

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list