[Samba] winbind and case sensitivity
abartlet at samba.org
Tue Feb 10 11:32:14 GMT 2004
On Tue, 2004-02-03 at 23:12, Brian J. Murrell wrote:
> On Tue, 2004-02-03 at 04:11, Andrew Bartlett wrote:
> > The problem is, for a plaintext login, the IMAP server is almost
> > certainly just copying the username internally, so there is almost
> > nothing we can do about it.
> i.e. you mean cyrus imap will just copy and use whatever the user types
I don't know for sure, but that is how I would expect it to work.
> That is fine. I don't mind telling all of the users that they _must_
> log in with lowercase letters now, no using caps. They will then have
> all lowercase imap mailboxes and cyrus will force delivery into
> lowercase mailboxes.
> But the problem then is that when the PDC returns usernames in the
> format "Firstname" (first letter capped), and they log in with
> "firstname", there is no matching account.
There is a matching account, but not a matching IMAP folder. I'm
assuming this is what you mean anyway...
> If I could instruct
> winbind(d?) to simply fold the uppercase letters into lowercase, then
> there is an account that matches what the user typed and will work for
> authentication because NT is case insensitive.
Samba will answer to any username, and will return the user-name
*either* per the NT database, or as the user sent it (depending on the
backend). I would accept a patch that made samba 'forced' to lower
case. (It would lowercase all output, and force all input to be in
> It seems to be that the simplest fix is to ask winbind to force the caps
> into lowercase before giving the info to PAM.
Samba never gives information to PAM, only 'yes/no' on the password. It
does return information to nss_ldap however.
> > For NTLMSSP based logins (see my patch to cyrus-sasl back in Janurary) I
> > handle this stuff, because we can return the username.
> Interesting. I will take a look. But this problem is more general than
> just cyrus imap and having winbind fold the uppercase letters into
> lowercase letters seems like a nice general solution, no?
In some ways it is, but the main issue is in what users enter in logon
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040210/fc74e011/attachment.bin
More information about the samba