[Samba] winbind idmap customization
Jerome Haltom
wasabi at larvalstage.net
Thu Jul 12 15:13:42 GMT 2007
Then, at least, can lookups for 'username' return matches for 'DOM
\username'? This would make it act more windows-like, anyways, where the
user can login using 'username', unless it conflicts with a local user.
On Fri, 2007-07-06 at 15:50 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Gerald (Jerry) Carter wrote:
>
> > Nope. You haven't looked at how much trouble this would
> > be in the code. For example, Lookupsid() *always* returns
> > the sAMAcountName but LookupName() will resolve a UPN to
> > the same SID.
> >
> > So The conversion is asymetric. UPN->SID->sAMAcountName.
> > But canonicalizing on the sAMAccountName does give you a
> > symmetic mapping.
> >
> > Secondly, your 'unix' variant would break with trusted domains.
> >
> > So yes, it is a bad idea for very real technical reasons.
>
> I should clarify that you can easily convert form UPN
> to sAMAcountName and vice versa using the DsCrackNames
> calls but this requires a lot of plumbing we don't
> have currently and would be a fundamental change in
> design which would require a lot of code restabilization.
>
> Or of course you can use LDAP queries but remember that
> machines do not have UPNs by default. So what do you
> use then....?
>
>
>
>
> cheers, jerry
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGjqr5IR7qMdg1EfYRAp8cAKCXRYT54CMNBbnYUlRPsuDwErPfLACgoYQ3
> 7l3fIz4KrkEecX5dPZFDhFA=
> =5nEl
> -----END PGP SIGNATURE-----
More information about the samba
mailing list