[PATCH] Don't ucase configured realm
Andrew Bartlett
abartlet at samba.org
Thu Mar 11 15:14:45 MST 2010
On Thu, 2010-03-11 at 16:34 -0500, Benjamin Coddington wrote:
> On 3/9/10 2:31 AM, Andrew Bartlett wrote:
> > On Tue, 2010-03-09 at 08:10 +0100, Matthias Dieter Wallnöfer wrote:
> >> It's not only this. Sometimes we divide correctly between DNS domainname
> >> (szRealm_lower) and realm (szRealm_upper) but not always (e.g. we could
> >> take an upcased DNS domainame as the realm). It is a huge task to review
> >> and check all occurences of those calls. Plus, since you keep the realm
> >> case-sensitive that means you are not really standard-AD compatible.
> >
> > Matthias,
> >
> > The problem here is that Benjamin isn't using Samba in an AD realm, he
> > is using it in a MIT realm (presumably at uvm.edu), that was not
> > configured per the normal practice.
> >
> > As such, he needs Samba, when it operates as a Kerberos host in his MIT
> > realm, to respect the lower case realm he has been forced into.
> >
> > It's not an unreasonable request, and in Samba3 it may even be quite
> > practical. The care we need to take in Samba3 is not to make the usual
> > case (MIT realms constructed per the usual rules, and AD domains) harder
> > to set up.
> >
> > In Samba4, we have the double-challenge that we are the AD DC, and so we
> > have an even higher burden to always return the correct case to our
> > clients.
> >
> > Andrew Bartlett
>
> Thanks Andrew. Here's another attempt which will not break the usual
> case. This adds a "realm preserve case" option for Samba3. I'm unclear
> if I should include documentation changes as well. If they should be
> done, let me know.
Does this now mean we are ordering dependent? If 'realm preserve case'
is set second, or not set at all, does it still work? If it is later
set to false, but after the realm is re-read (on reload), is the realm
put back to the correct case?
In short, smb.conf parsing is subtle - perhaps too subtle - so I'm just
a bit worried. In any case, I'll need for one of the developers working
on the Samba3 side of the house to look over it, and decide if it can go
in.
I'm sorry this turned out to be so much more complex than you ever
imagined!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100312/7d966750/attachment.pgp>
More information about the samba-technical
mailing list