map_username() inconsistencies [was Re: [Samba] Re: ADS valid users
can't map share]
Gerald (Jerry) Carter
jerry at samba.org
Thu Oct 21 02:21:09 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've done some more digging and the username map stuff is a little
worse than I initially thought.
(a) when 'security = user', the username map is applied before
the password is checked is checked.
(b) when 'security = ads', the username map is applied to
fully qualified names (domain\user) after the krb5 ticket
is checked. (see the next comment for NTLM).
(c) when 'security = domain' (or NTLM auth for ADS security),
the username map is applied to the login name only. The original
domain\user is still authenticated but the UNIX identify
is looked up in the username map.
So I guess that the cleanest way to fix this is to apply the username
map before checking authentication when validating user locally
and apply it after authentication for domain users (krb5 & ntlm).
How do people feel about this?
cheers, jerry
- ---------------------------------------------------------------------
Alleviating the pain of Windows(tm) ------- http://www.samba.org
GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot (2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQFBdx0ZIR7qMdg1EfYRAvNvAKCxwDAkbYn3LAUqMXUDEMFgvWm3QgCg3sT3
6L6v7duY1aFnrOOXUJtXzc0=
=2cXg
-----END PGP SIGNATURE-----
More information about the samba
mailing list