Enhancement to allow winbindd to parse fully qualified kerberos names???

Don McCall donmccall1 at yahoo.com
Thu Feb 1 19:00:27 GMT 2007

Hi Guenther,
Yes, I see your point - my little test
environment here is just WAY too vanilla, so all
of my upn's matched up with the samaccountname.
created a mismatch:
ddmctest at wtec.adapps.hp.com =
wtec.adapps.hp.com\ddmctset  and of course my
simple enhancement broke.

Still, it would be *really* nice to have this
functionality, even if we did have to code the
two lsa calls to handle it - we could make the
use of those lsa calls dependent on whether we
enabled 'winbind parse kerberos name = yes',
right?  Maybe even (for those of us with some
modicum of control over our user naming
conventions) add a smb.conf parameter to never
use the lsa lookups if we know that we will not
have these mismatches in the particular
ad/realm's we are working with, like 
winbbind parse kerberos name = strict, or


--- Guenther Deschner <gd at samba.org> wrote:

> Hi Don,
> the main problem I see with this approach
> (beside the trusted domains) is that 
> you'll end with the requirement that
> user at REALM.COM always needs to have a 
> corresponding sammaccountname of
> REALM.COM\user. You cannot rely on that as 
> in AD you can:
> a) have a sammaccountname of
> "REALM.COM\otheruser" and a upn 
> of "user at REALM.COM" and 
> b) assign arbitrary upnsuffixes to domains,
> ending up potentially with a upn 
> in the form of "EXAMPLE.CO.UK\otheruser" and a
> sammaccountname 
> of "user at REALM.COM".
> The only way I can think of implementing that
> (without proper DsCrackName 
> support) is to do a kind of
> poor-mans-Cracknames which consists of two 
> additional LSA lookups: 
> 1) LsaLookupName(upn) returning a sid and 
> 2) LsaLookupSid(sid) to get the "classic" NT4
> name format back. 
> The additional roundtrips can be limited only
> on the PAM logon - when using 
> the new kerberized pam_winbind. I had got
> something like that running a 
> longer time ago for testing. Then again, you
> can nicely confuse PAM and NSS 
> with such a drastic username change from PAM
> logon till the NSS getpwnam.
> Just my 2 cents.
> Guenther
> -- 
> Günther Deschner                    GPG-ID:
> 8EE11688
> Novell / SUSE Labs                       
> gd at suse.de
> Samba Team                             
> gd at samba.org

Now that's room service!  Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.

More information about the samba-technical mailing list