Enhancement to allow winbindd to parse fully qualified kerberos names???

Guenther Deschner gd at samba.org
Thu Feb 1 17:17:59 GMT 2007

Hi Don,

the main problem I see with this approach (beside the trusted domains) is that 
you'll end with the requirement that user at REALM.COM always needs to have a 
corresponding sammaccountname of REALM.COM\user. You cannot rely on that as 
in AD you can:

a) have a sammaccountname of "REALM.COM\otheruser" and a upn 
of "user at REALM.COM" and 
b) assign arbitrary upnsuffixes to domains, ending up potentially with a upn 
in the form of "EXAMPLE.CO.UK\otheruser" and a sammaccountname 
of "user at REALM.COM".

The only way I can think of implementing that (without proper DsCrackName 
support) is to do a kind of poor-mans-Cracknames which consists of two 
additional LSA lookups: 
1) LsaLookupName(upn) returning a sid and 
2) LsaLookupSid(sid) to get the "classic" NT4 name format back. 

The additional roundtrips can be limited only on the PAM logon - when using 
the new kerberized pam_winbind. I had got something like that running a 
longer time ago for testing. Then again, you can nicely confuse PAM and NSS 
with such a drastic username change from PAM logon till the NSS getpwnam.

Just my 2 cents.


Günther Deschner                    GPG-ID: 8EE11688
Novell / SUSE Labs                        gd at suse.de
Samba Team                              gd at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070201/2d943857/attachment.bin

More information about the samba-technical mailing list