On Tue, 2004-02-10 at 06:32, Andrew Bartlett wrote: > On Tue, 2004-02-03 at 23:12, Brian J. Murrell wrote: > > I don't know for sure, but that is how I would expect it to work.
Me too, which is why the users would be instructed that they must use all lowercase when they type their account in, which I suspect is what they do anyway. > > But the problem then is that when the PDC returns usernames in the > > format "Firstname" (first letter capped), and they log in with > > "firstname", there is no matching account. What I mean by "PDC returns", is for example the output of a getent passwd. There are two things that winbind does for providing authentication systems for a mail system. Of course, it verifies a username/password pair with an yes/no type answer and for that I suppose it does not matter what the case mixture of the username is. However it also provides "getent passwd" type support so that an MTA (like Postfix) can query for the "existence" of a user (for determining if mail should be accepted or rejected) when an e-mail arrives for <a_user>@<domain>. It is this latter function that is being fouled up by mixed case usernames. To follow an example of where this is a problem, we have a user in the NT PDC as "Brian". An e-mail arrives for "[EMAIL PROTECTED]". First Postfix uses (the C library equivalent of) "getent" to get a list of users in the passwd database (of which it gets NT PDC users as well) and sees if "brian" is one of them. It is not. The getent function returned "Brian" from the NT PDC. Reject mail as "no such account here". If the getent function returned data from the NT PDC in lowercase this would not be a failure and the mail would be accepted and given off to Cyrus to deliver. Because we can force Cyrus to convert the recipient name to lowercase, we can control the case of the mailboxes. > There is a matching account, but not a matching IMAP folder. I'm > assuming this is what you mean anyway... Well there is this problem too, but this is solved by either educating the users to always enter their usernames in lowercase, or perhaps by using a PAM module/option which converts what they enter as a username into lowercase before doing anything else. > Samba Are you using Samba as a generic term encompassing winbind services? My issues only relate to getting information from winbind. > will answer to any username, and will return the user-name > *either* per the NT database, or as the user sent it (depending on the > backend). I would accept a patch that made samba 'forced' to lower > case. (It would lowercase all output, and force all input to be in > lower case). Well, it seems to me that forcing anything to lowercase in the case of winbind is only really relevant for the function(s) that answer queries to enumerate the database entries (getpwent for example). > Samba never gives information to PAM, only 'yes/no' on the password. It > does return information to nss_ldap however. Winbind does return data to getpwent type queries, and it's the username in this data being mixed case that is the problem. I'm not advocating the folding of case anywhere else in the Samba project at this point except for winbind returning data to getpwent type queries. > In some ways it is, but the main issue is in what users enter in logon > boxes... Yes, that is one issue, and it can be solved with education or other intervening technology (like PAM) but winbind still needs to have an option to force lowercase when returning data to "pwent" queries. b. -- My other computer is your Microsoft Windows server. Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
