[Samba] winbind idmap customization

Gerald (Jerry) Carter jerry at samba.org
Fri Jul 6 20:45:12 GMT 2007

Hash: SHA1

Jerome Haltom wrote:
> Okay, I agree then. There are a set of standard ways of representing a
> user name on a domain. There is 'NT\username', there is
> 'username at REALM'. And there is 'username'.
> Is it so bad to think that username at REALM should be desired? I desire it
> because I have non-Windows related things that use plain Kerberos
> realms, and they use this form. And I like it. There is no short NT4
> style name in these circumstances.
> Perhaps then just a single option for the single canonical version?
> "unix", "nt", "realm".
> winbind canonical form = realm
> All look ups of all forms would be mapped to this single representation.
> That way users could login using any.

Nope.  You haven't looked at how much trouble this would
be in the code.  For example, Lookupsid() *always* returns
the sAMAcountName but LookupName() will resolve a UPN to
the same SID.

So The conversion is asymetric.  UPN->SID->sAMAcountName.
But canonicalizing on the sAMAccountName does give you a
symmetic mapping.

Secondly, your 'unix' variant would break with trusted domains.

So yes, it is a bad idea for very real technical reasons.

cheers, jerry
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list