Suggestion: make Winbindd more Active-Directory-alike
Luke Howard
lukeh at PADL.COM
Wed Nov 28 06:34:03 GMT 2001
Don't forget that Active Directory supports user principal names
which don't have to relate to the "downlevel" user and domain
names. They are resolved against the global catalog. Microsoft
added a new nametype to Kerberos to support these (which is
why, if you logon with your UPN to W2K, and say try running the
sample SSPI client against a MIT GSS-API server, your principal
name will look something like "lukeh\@nt.padl.com at NT.PADL.COM").
Anyway, it would be very useful to support these in winbind. I
think you can do this now with our nss_ldap and pam_ldap modules,
if the host PAM application supports template users -- you logon
as (say) lukeh at nt.padl.com, pam_ldap looks up
(userPrincipalname=lukeh at nt.padl.com)
and then reads some other attribute (like mSSFUName) to get
the UNIX username. The catch is that the host application needs
to check whether the PAM username has changed in order. I think
only FreeBSD does this.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
More information about the samba-technical
mailing list