wbinfo -i output domain realm vs. ntdomain before login
Andreas Schneider
asn at samba.org
Thu Apr 26 05:26:34 UTC 2018
On Thursday, 26 April 2018 00:45:05 CEST Jeremy Allison wrote:
> On Mon, Apr 23, 2018 at 04:44:37PM +0200, Andreas Schneider via samba-
technical wrote:
> > On Friday, 20 April 2018 06:52:58 CEST Stefan Metzmacher wrote:
> > > Hi Samuel,
> > >
> > > > I had a look to the attached patches in bugzilla. The LSA LookupNames
> > > > is called when the winbind cache is cold and it returns all the
> > > > necessary information (the referenced domain name and domain SID to
> > > > which the looked up names belongs), so why can't we pass this up to
> > > > the
> > > > caller and use it instead checking the given name format to lookup the
> > > > domain name after obtaining the SID?
> > > >
> > > > What do you think about this patch?
> > >
> > > It guess it doesn't handle a case the following:
> > >
> > > userPrincipalName: some.one at example.com
> > > sAMAccountName: some
> > >
> > > REALM: AD.EXAMPLE.PRIVATE
> > > DOMAIN: ADDOM
> > >
> > > If you ask for 'some.one at example.com' you should get
> > > back 'ADDOM\some' instead of 'ADDOM\some.one'.
> > >
> > > We may need to avoid using wcache_save_sid_to_name()
> > > within wb_cache_name_to_sid().
> >
> > Attached are tests for UPNs and fixes for it.
>
> OK Andreas, I'm reviewing this and I'd like some clarification
> on the changes in:
>
> [PATCH 4/5] winbind: Fix looking up the user via the UPN
>
> source3/winbindd/winbindd_lookupname.c
> source3/winbindd/winbindd_util.c
>
> In my understanding both of these fixes are ensuring that
> a upn name passed in as:
>
> user at realm
>
> is not being split into domname=realm, name=user
> components, but instead passed to winbindd as:
>
> domname=realm, name=user at realm
>
> Yes ? Can you add a comment explaining what
> is being passed to winbindd and why that change
> is needed, as well as a comment for the change
> in parse_domain_user() that explains why returning
> the upn user name is correct.
>
> I believe you're right :-), but this stuff is
> tricky enough that more comments here might help
> in future.
Thanks Jeremey, metze wants some changes in this patch and already sent me a
patch he started to work on. I will look into that today and make sure it
works. I will add the comments and send a new patchset.
Andreas
More information about the samba-technical
mailing list