Enhancement to allow winbindd to parse fully qualified kerberos names???

simo idra at samba.org
Thu Feb 1 17:29:03 GMT 2007


On Thu, 2007-02-01 at 18:17 +0100, Guenther Deschner wrote:
> Hi Don,
> 
> the main problem I see with this approach (beside the trusted domains) is that 
> you'll end with the requirement that user at REALM.COM always needs to have a 
> corresponding sammaccountname of REALM.COM\user. You cannot rely on that as 
> in AD you can:
> 
> a) have a sammaccountname of "REALM.COM\otheruser" and a upn 
> of "user at REALM.COM" and 
> b) assign arbitrary upnsuffixes to domains, ending up potentially with a upn 
> in the form of "EXAMPLE.CO.UK\otheruser" and a sammaccountname 
> of "user at REALM.COM".
> 
> The only way I can think of implementing that (without proper DsCrackName 
> support) is to do a kind of poor-mans-Cracknames which consists of two 
> additional LSA lookups: 
> 1) LsaLookupName(upn) returning a sid and 
> 2) LsaLookupSid(sid) to get the "classic" NT4 name format back. 
> 
> The additional roundtrips can be limited only on the PAM logon - when using 
> the new kerberized pam_winbind. I had got something like that running a 
> longer time ago for testing. Then again, you can nicely confuse PAM and NSS 
> with such a drastic username change from PAM logon till the NSS getpwnam.

I think it would be worth to have this.
Could make life easier in many cases imo.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org



More information about the samba-technical mailing list