[Samba] winbind idmap customization

Gerald (Jerry) Carter jerry at samba.org
Fri Jul 6 20:50:01 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerald (Jerry) Carter wrote:

> Nope.  You haven't looked at how much trouble this would
> be in the code.  For example, Lookupsid() *always* returns
> the sAMAcountName but LookupName() will resolve a UPN to
> the same SID.
> 
> So The conversion is asymetric.  UPN->SID->sAMAcountName.
> But canonicalizing on the sAMAccountName does give you a
> symmetic mapping.
> 
> Secondly, your 'unix' variant would break with trusted domains.
> 
> So yes, it is a bad idea for very real technical reasons.

I should clarify that you can easily convert form UPN
to sAMAcountName and vice versa using the DsCrackNames
calls but this requires a lot of plumbing we don't
have currently and would be a fundamental change in
design which would require a lot of code restabilization.

Or of course you can use LDAP queries but remember that
machines do not have UPNs by default.  So what do you
use then....?




cheers, jerry


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGjqr5IR7qMdg1EfYRAp8cAKCXRYT54CMNBbnYUlRPsuDwErPfLACgoYQ3
7l3fIz4KrkEecX5dPZFDhFA=
=5nEl
-----END PGP SIGNATURE-----


More information about the samba mailing list