[Samba] still about winbind idmap customization

miolinux miolinux at libero.it
Wed Jul 18 14:11:06 GMT 2007


i've read the thread about idmap customization, i'm planning an
integration between windows AD and MIT kerberos, and i was very
interested on the subject.

Now we are authenticating windows AD user against mit kerberos realm
with a cross-domain trust, and with windows client everythings works.

Ie. Authentication is done with kerberos mit and authorization is done
with windows AD.

Now i'm working to let linux computers authenticate users. What i need
it to Authenticate user agains mit kerberos with pam_krb5 (user at REALM),
and get authorization from windows AD (DOMAIN+user).

The main problem is that i can force user to append @REALM for
pam_krb5, but i need user to be in form "user" and not "DOMAIN+user"
for a domain that is not the "workgroup" of the computer.

Would it be much work to add a parameter to specify windbind default
domain to be different from computer workgroup?

even if a complete customization of user name and group name would be
preferred a custom default domain could be enought for me.

Is this possible?



More information about the samba mailing list