[Samba] Question on proper handling of usernames

Christian McHugh christian.mchugh at nau.edu
Fri May 1 17:44:53 GMT 2009


Hi all,

I would like to try to start up a conversation about the "proper" handling of 
usernames by samba/winbind. I know our current active directory setup is not 
really considered supported via samba and I would like to know if the samba 
developers think this might change, or if there are any recommendations for my 
issues.

 *** Since this came out rather long, here is a quick summary...
Samba with "use default domain" is able to serve \\server\JOINED-
DOMAIN\username, but not \\server\OTHER-DOMAIN\username since it cannot lookup 
the user account in AD to be able to get the location of the home directory. 
In discussions with samba developers in the past I got the impression this is 
simply a WONT-FIX case, but for my environment I would really like it to work.
I am "just" a lowly systems administrator, and do not posses the necessary 
skill set to provide a patch to implement this, do I have any options?


 *** ... and the long version
Due to historical and political reasons, my university has two domains 
contained in a single forest: NAU for faculty and staff and NAU-STUDENTS for 
students. The problem arises in that many faculty/staff have at one point taken 
a class which means that they also have both an NAU and NAU-STUDENTS account. 
Additionally, we are using the rfc2307 AD attributes, and unix uid is the same 
for both accounts. So should a user log in from either domain they should be 
able to access the same mapped drive (I realize this is not technically 
supported by samba, but idmap_ad does work with this setup)

Currently in my college, we run a samba fileserver and all of our users have 
its drive mapped (we also have UNIX/Linux clients that have nfs mounted home 
dirs). We are currently using a third party product to handle pam/nsswitch 
which interprets a username as just username. Meaning NAU-STUDENTS\mcm75 or 
NAU\mcm75 are considered the same (since they share the same uid).

In testing samba 3.3 and later releases, as I stated, idmap_ad does seem to 
work (idmap_adex seems broken #5973) as far as a user from a windows host 
connecting. However, as an admin I do occasionally find myself needing to get 
into a user's homedirectory. In this case we have the admin users permission 
setup to allow this, as well as the use default domain parameter. This 
combination allows me to access home directories of users in the same domain 
as the server is joined, so in this case NAU-STUDENTS. The problem lies in 
trying to access home directories of users that only have accounts in NAU. At 
that point trying \\server\nau-only-username, samba/winbind are not able to 
resolve the username to lookup the location of the home directory to properly 
serve it out (#6188). I get the impression that the domain\username is 
considered more proper by the samba devs, but are there any plans to 
eventually support a domain lookup option? This could replace the current use 
default domain, such as:

lookup domains = NAU NAU-STUDENTS

where winbind when not finding a match on username, would first attempt a lookup 
on NAU\username followed by NAU-STUDENTS\username

Alternatively, do I have any other options as far as supporting the 
\\server\nau-only-username admin access problem?


Thank you,
Christian McHugh
Northern Arizona University



More information about the samba mailing list