[Samba] winbind idmap customization
Gerald (Jerry) Carter
jerry at samba.org
Fri Jul 6 20:45:12 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jerome Haltom wrote:
> Okay, I agree then. There are a set of standard ways of representing a
> user name on a domain. There is 'NT\username', there is
> 'username at REALM'. And there is 'username'.
>
> Is it so bad to think that username at REALM should be desired? I desire it
> because I have non-Windows related things that use plain Kerberos
> realms, and they use this form. And I like it. There is no short NT4
> style name in these circumstances.
>
> Perhaps then just a single option for the single canonical version?
> "unix", "nt", "realm".
>
> winbind canonical form = realm
>
> All look ups of all forms would be mapped to this single representation.
> That way users could login using any.
Nope. You haven't looked at how much trouble this would
be in the code. For example, Lookupsid() *always* returns
the sAMAcountName but LookupName() will resolve a UPN to
the same SID.
So The conversion is asymetric. UPN->SID->sAMAcountName.
But canonicalizing on the sAMAccountName does give you a
symmetic mapping.
Secondly, your 'unix' variant would break with trusted domains.
So yes, it is a bad idea for very real technical reasons.
cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGjqnYIR7qMdg1EfYRAsoLAKDoPhJ3hYBvMizMxZYShjqeK+TVjwCcDpFQ
93YK+cixGgFyqlQzoiOUoWM=
=Gpru
-----END PGP SIGNATURE-----
More information about the samba
mailing list