[Samba] Change samba username with tdbsam backend

[John H Terpstra]

On 02/19/2010 11:41 PM, Jeremy Allison wrote:
> On Fri, Feb 19, 2010 at 08:33:36PM -0600, John H Terpstra wrote:
>>
>> There exists no simple, portable tool that can affect the type of change
>> you are seeking.  At the best of times, this is a a complex
>> administrative task that requires knowledge of the consequences of each
>> step taken.  A failure to apprehend such consequences will lead ot
>> interesting observations and results.
> 
> The correct way to do this is for winbindd to be able
> to fully specify UNIX accounts internally (ie. inside
> it's own equivalent of /etc/passwd, /etc/shadow, and
> tdbsam). We used to have this capability in winbindd
> but it got removed a long time ago (around the early
> Samba 3.0.x timeframe I recall) as no one made use of
> it.

Samba has from the outset implicitly viewed all Windows security objects
from the perspective of a UNIX user or group account. This is one of
Sambas' Achilles heals.  It would have been much easier had we
implemented a selectable way of mapping Windows security objects (users,
groups, trust accounts, etc.) to UNIX accounts.

For example; it would have been possible to map Windows groups such as
"Domain Users" account to a particular UNIX user _OR_ group, without
requiring explicit mapping of MS Windows users to a discrete UNIX user
account and Windows groups to a discrete UNIX group.

Had we kept a barrier between the Windows world and the UNIX world that
allows flexible mapping to a UNIX user _OR_ group account we would have
had a really nifty and flexible environment.  We now have kind-of a
prison that forces a lot of complex constraints on the UNIX admin.

> I've been thinking of resurrecting this again at some
> point.

Is this really a good idea? I'm not sure.

> If winbindd is the full controller of local account
> info then normal RPC tools can change an account name
> by simply changing the stored "name" property in the
> database.

Agreed.  Think of the flexibility this would provide in respect of ACLs
handling too!  A disconnection of the tie between the Windows and UNIX
worlds has considerable merit.

> I'll start thinking about adding this back into winbindd
> as a "winbindd local accounts" option. Probably would
> do it differently from the earlier implementation now
> though :-).

Before we do this, please let us fundamentally rethink the best way to
architect the relationship between the Windows and UNIX worlds. For
example, how would this impact the Global v's Local Windows account
infrastructure?  A fully flexible mapping system could replace the need
for much of the current IDMAP infrastrucure also.

Maybe it is time to awake from the dream, hopefully not to the
realization that it was actually a nightmare. ;-)

- John T.