Enhancement to allow winbindd to parse fully qualified kerberos names???

McCall, Don (GSE-WTEC-Alpharetta) don.mccall at hp.com
Thu Feb 1 16:51:06 GMT 2007

Hi Jerry, Jeremy and Guenther,
Volker pointed me towards you guys to consider this:

I have a need for winbindd to be able to parse fully qualified kerberos
names, eg:

    ddmc at WTEC.ADAPPS.HP.COM, etc.

I use a simple pam_kerberos authentication to an Active Directory
domain, with winbind providing the sid <-> uid map resolution.  (I've
submitted a paper proposal to SambaXP about this, so perhaps I'll get to
talk about it there ;-) )  So IF I set up my HP-UX box such:

password server = wtec-dc1.wtec.adapps.hp.com, * 
realm = WTEC.ADAPPS.HP.COM netbios name = gwen workgroup = WTEC security

# Winbindd section:
idmap uid = 10000-20000
idmap gid = 20000-30000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template shell = /bin/sh
Template home directory = /home/%D/%U

Then I can login to my HP-UX system by just providing a ms windows user
name from the WTEC.ADAPPS.HP.COM AD domain - since 'winbind use default
domain = yes', when nsswitch pushes the request to winbindd, it prepends
the domain name to my username, and  WTEC\ddmc is found.  (We do this
because libpam_winbindd  isn't supported under HPUX, and because we want
to exclusively use kerberos authentication)

But trusted domains present a problem.  You can easily extend your
krb5.conf file to handle trusted domain authentication by adding the
trusted domains as additional realms.  For instance, assume that your
default domain, KAT1, trusts the domain KATTRUST1, with a kdc named

kdc = mccalldc.alf.cpqcorp.net:88
kdc = trustdc1.kattrust1.mccall.com:88

This will allow you to use kinit to get credentials for any user in the
KATTRUST1.MCCALL.COM domain.  However, you run into problems when you
try to log in to HP-UX as a member of that domain. Consider a user
'tester' in this domain: tester at KATTRUST1.MCCALL.COM .
When you get the telnet login prompt, the only way for you distinguish
'tester' in this domain from some user named 'tester' in your default
domain is to fully qualify the username you supply:

  Login:  tester at KATTRUST1.MCCALL.COM

When you do this, the HP-UX pam infrastructure will recognize this as a
valid Kerberos username, and get the appropriate credentials from the
kdc for this realm listed in the krb5.conf file, but then later on in
the authorization portion of the pam processing, it will attempt to do a
'getpwnam()' with this fully qualified name.  Since winbindd does not
recognize this name format (it expects the name to be passed to it in
the format: DOMAIN<winbindd separator>username), the pam system will
refuse to complete the login sequence, because it cannot find a valid
username <-> uid mapping.
At this time therefore, ONLY users from the default domain can login
using this method.  They are able to do so because since we have set the
'winbind use default domain = yes', we can simply provide the username
to the 'login:' prompt and the default domain will be prepended
appropriately when it is caught by the winbindd daemon to be looked up. 

Bottom Line, Volker:   I wonder if you would consider an enhancement to
the 'parse_domain_user()' module (in nsswitch/winbindd_util.c to allow
winbindd to parse fully qualified Kerberos names to resolve this?  I
tested this on Samba 3.0.22 (what we are currently using as a base on
HP-UX), and it worked for me - note I also added a loadparm.c parameter
called lp_winbind_parse_kerberos_names(), so that if people WERE using
the '@' as the actual winbind separator, you could turn this behavior on
or off:

BOOL parse_domain_user(const char *domuser, fstring domain, fstring
user) {
        char *p = strchr(domuser,*lp_winbind_separator());
        char *q = strchr(domuser,'@');
                char *q = NULL;
        if ( !p && !q  ) {
                fstrcpy(user, domuser);

                if ( assume_domain(lp_workgroup())) {
                        fstrcpy(domain, lp_workgroup());
                } else {
                        fstrcpy( domain, get_global_sam_name() );
        else {
                fstrcpy(user, p+1);

                fstrcpy(domain, domuser);
                domain[PTR_DIFF(p, domuser)] = 0;
                fstrcpy(user, domuser);
                fstrcpy(domain, q+1);
                user[PTR_DIFF(q, domuser)] = 0;
                DEBUG(10, ("parse_domain_user:


        return True;

I realize that parse_domain_user() is copied into other files in the
source tree, so they may need to be changes as well for consistency, but
this one did it for me.

Would you be willing to consider such an enhancement?  If so, I can make
changes to the current build farm version and send you diffs, if that
would help.

Thanks for considering this!

More information about the samba-technical mailing list