Enhancement to allow winbindd to parse fully qualified kerberos
names???
Don McCall
donmccall1 at yahoo.com
Thu Feb 1 19:00:27 GMT 2007
Hi Guenther,
Yes, I see your point - my little test
environment here is just WAY too vanilla, so all
of my upn's matched up with the samaccountname.
created a mismatch:
ddmctest at wtec.adapps.hp.com =
wtec.adapps.hp.com\ddmctset and of course my
simple enhancement broke.
Still, it would be *really* nice to have this
functionality, even if we did have to code the
two lsa calls to handle it - we could make the
use of those lsa calls dependent on whether we
enabled 'winbind parse kerberos name = yes',
right? Maybe even (for those of us with some
modicum of control over our user naming
conventions) add a smb.conf parameter to never
use the lsa lookups if we know that we will not
have these mismatches in the particular
ad/realm's we are working with, like
winbbind parse kerberos name = strict, or
extended...
Don
--- Guenther Deschner <gd at samba.org> wrote:
> Hi Don,
>
> the main problem I see with this approach
> (beside the trusted domains) is that
> you'll end with the requirement that
> user at REALM.COM always needs to have a
> corresponding sammaccountname of
> REALM.COM\user. You cannot rely on that as
> in AD you can:
>
> a) have a sammaccountname of
> "REALM.COM\otheruser" and a upn
> of "user at REALM.COM" and
> b) assign arbitrary upnsuffixes to domains,
> ending up potentially with a upn
> in the form of "EXAMPLE.CO.UK\otheruser" and a
> sammaccountname
> of "user at REALM.COM".
>
> The only way I can think of implementing that
> (without proper DsCrackName
> support) is to do a kind of
> poor-mans-Cracknames which consists of two
> additional LSA lookups:
> 1) LsaLookupName(upn) returning a sid and
> 2) LsaLookupSid(sid) to get the "classic" NT4
> name format back.
>
> The additional roundtrips can be limited only
> on the PAM logon - when using
> the new kerberized pam_winbind. I had got
> something like that running a
> longer time ago for testing. Then again, you
> can nicely confuse PAM and NSS
> with such a drastic username change from PAM
> logon till the NSS getpwnam.
>
> Just my 2 cents.
>
> Guenther
>
> --
> Günther Deschner GPG-ID:
> 8EE11688
> Novell / SUSE Labs
> gd at suse.de
> Samba Team
> gd at samba.org
>
____________________________________________________________________________________
Now that's room service! Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097
More information about the samba-technical
mailing list