Re: [Samba] winbind idmap customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome Haltom wrote: > I have. This doesn't work. If I set it to "yes", then looks ups for 'DOM > \user' resolve to 'user'. I want everything to resolve to 'DOM\user'. > Even lookups for 'user'. Ahh.. my bad. I misread the original report. What you want is support for aliases which I have in a private branch. It's a little tricky since there are limitation to how well the feature can work. Basically I just added the alias<->login name translation as a shim just before and after the lookupname and lookupsid calls. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGlmkjIR7qMdg1EfYRApdFAJ4ihMoYHzN2sQxApZrIlebNE3AyHwCeIahq LRDsiCpBsDdqRpwS9OTYR30= =aQoe -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
I have. This doesn't work. If I set it to "yes", then looks ups for 'DOM \user' resolve to 'user'. I want everything to resolve to 'DOM\user'. Even lookups for 'user'. If I set it to "no", then lookups for 'DOM\user' resolve to 'DOM\user', but lookups for 'user' do not match at all. 'user' should resolve to 'DOM\user'. On Thu, 2007-07-12 at 10:17 -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Jerome Haltom wrote: > > Then, at least, can lookups for 'username' return matches for 'DOM > > \username'? This would make it act more windows-like, anyways, where the > > user can login using 'username', unless it conflicts with a local user. > > Please read smb.conf(5) and look at the 'winbind use default domain' > option. > > > > > > jerry > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2.2 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGlkX9IR7qMdg1EfYRAuABAJ9p0FBvIi5fU6AOyEEUHwF2YnCnQQCg6E40 > +0bNnB0r7nPYJAC/T+WH2YU= > =8Ntg > -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome Haltom wrote: > Then, at least, can lookups for 'username' return matches for 'DOM > \username'? This would make it act more windows-like, anyways, where the > user can login using 'username', unless it conflicts with a local user. Please read smb.conf(5) and look at the 'winbind use default domain' option. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGlkX9IR7qMdg1EfYRAuABAJ9p0FBvIi5fU6AOyEEUHwF2YnCnQQCg6E40 +0bNnB0r7nPYJAC/T+WH2YU= =8Ntg -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
Then, at least, can lookups for 'username' return matches for 'DOM \username'? This would make it act more windows-like, anyways, where the user can login using 'username', unless it conflicts with a local user. On Fri, 2007-07-06 at 15:50 -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Gerald (Jerry) Carter wrote: > > > Nope. You haven't looked at how much trouble this would > > be in the code. For example, Lookupsid() *always* returns > > the sAMAcountName but LookupName() will resolve a UPN to > > the same SID. > > > > So The conversion is asymetric. UPN->SID->sAMAcountName. > > But canonicalizing on the sAMAccountName does give you a > > symmetic mapping. > > > > Secondly, your 'unix' variant would break with trusted domains. > > > > So yes, it is a bad idea for very real technical reasons. > > I should clarify that you can easily convert form UPN > to sAMAcountName and vice versa using the DsCrackNames > calls but this requires a lot of plumbing we don't > have currently and would be a fundamental change in > design which would require a lot of code restabilization. > > Or of course you can use LDAP queries but remember that > machines do not have UPNs by default. So what do you > use then? > > > > > cheers, jerry > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2.2 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGjqr5IR7qMdg1EfYRAp8cAKCXRYT54CMNBbnYUlRPsuDwErPfLACgoYQ3 > 7l3fIz4KrkEecX5dPZFDhFA= > =5nEl > -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerald (Jerry) Carter wrote: > Nope. You haven't looked at how much trouble this would > be in the code. For example, Lookupsid() *always* returns > the sAMAcountName but LookupName() will resolve a UPN to > the same SID. > > So The conversion is asymetric. UPN->SID->sAMAcountName. > But canonicalizing on the sAMAccountName does give you a > symmetic mapping. > > Secondly, your 'unix' variant would break with trusted domains. > > So yes, it is a bad idea for very real technical reasons. I should clarify that you can easily convert form UPN to sAMAcountName and vice versa using the DsCrackNames calls but this requires a lot of plumbing we don't have currently and would be a fundamental change in design which would require a lot of code restabilization. Or of course you can use LDAP queries but remember that machines do not have UPNs by default. So what do you use then? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGjqr5IR7qMdg1EfYRAp8cAKCXRYT54CMNBbnYUlRPsuDwErPfLACgoYQ3 7l3fIz4KrkEecX5dPZFDhFA= =5nEl -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome Haltom wrote: > Okay, I agree then. There are a set of standard ways of representing a > user name on a domain. There is 'NT\username', there is > '[EMAIL PROTECTED]'. And there is 'username'. > > Is it so bad to think that [EMAIL PROTECTED] should be desired? I desire it > because I have non-Windows related things that use plain Kerberos > realms, and they use this form. And I like it. There is no short NT4 > style name in these circumstances. > > Perhaps then just a single option for the single canonical version? > "unix", "nt", "realm". > > winbind canonical form = realm > > All look ups of all forms would be mapped to this single representation. > That way users could login using any. Nope. You haven't looked at how much trouble this would be in the code. For example, Lookupsid() *always* returns the sAMAcountName but LookupName() will resolve a UPN to the same SID. So The conversion is asymetric. UPN->SID->sAMAcountName. But canonicalizing on the sAMAccountName does give you a symmetic mapping. Secondly, your 'unix' variant would break with trusted domains. So yes, it is a bad idea for very real technical reasons. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGjqnYIR7qMdg1EfYRAsoLAKDoPhJ3hYBvMizMxZYShjqeK+TVjwCcDpFQ 93YK+cixGgFyqlQzoiOUoWM= =Gpru -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
Okay, I agree then. There are a set of standard ways of representing a user name on a domain. There is 'NT\username', there is '[EMAIL PROTECTED]'. And there is 'username'. Is it so bad to think that [EMAIL PROTECTED] should be desired? I desire it because I have non-Windows related things that use plain Kerberos realms, and they use this form. And I like it. There is no short NT4 style name in these circumstances. Perhaps then just a single option for the single canonical version? "unix", "nt", "realm". winbind canonical form = realm All look ups of all forms would be mapped to this single representation. That way users could login using any. On Fri, 2007-07-06 at 19:46 +, simo wrote: > > madness slip in again. Not unless it is really really necessary. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
On Fri, 2007-07-06 at 14:40 -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Jerome Haltom wrote: > > Would it be much work to add some sort of format string policy to > > smb.conf to govern this mapping? > > > > winbind user name = [EMAIL PROTECTED] > > winbind group name = [EMAIL PROTECTED] > > > > This would ideally allow lookups for all of the various > > possibilities to resolve to the single canonical name. > > Yup. It would be a huge amount of work with no benefit > IMO. It would also make the code a lot more fragile imo, we have already been bitten by the winbind separator and winbind use default domain to allow madness slip in again. Not unless it is really really necessary. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome Haltom wrote: > Would it be much work to add some sort of format string policy to > smb.conf to govern this mapping? > > winbind user name = [EMAIL PROTECTED] > winbind group name = [EMAIL PROTECTED] > > This would ideally allow lookups for all of the various > possibilities to resolve to the single canonical name. Yup. It would be a huge amount of work with no benefit IMO. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGjpqxIR7qMdg1EfYRAj0zAKDo2989kubVrWLPOXQ/8M6T+PUZsQCgmlPf 5X0J7pQZwtqBs/Idpi2egOE= =AU5r -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
Would it be much work to add some sort of format string policy to smb.conf to govern this mapping? winbind user name = [EMAIL PROTECTED] winbind group name = [EMAIL PROTECTED] This would ideally allow lookups for all of the various possibilities to resolve to the single canonical name. On Fri, 2007-07-06 at 09:12 -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Jerome Haltom wrote: > > I would like to have winbind map all of my AD users to their full > > [EMAIL PROTECTED] form on the Linux domain members. I'd like lookups to be > > properly canonical. Is this possible? > > No. But I go have a patch pending that does the reverse: > > $ getent passwd [EMAIL PROTECTED] > AD\lizard:*:100026:10:Lee Zard:/home/win/AD/lizard:/bin/bash > > > > > > > > cheers, jerry > = > Samba--- http://www.samba.org > Centeris --- http://www.centeris.com > "What man is a man who does not make the world better?" --Balian > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2.2 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGjk24IR7qMdg1EfYRAhv8AJ4qUXtX31nYsBfnu0n3vLUKOatsQACfQXUG > 7Q5h7Sf+FLGSuJAA866FU2U= > =GPfp > -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome Haltom wrote: > I would like to have winbind map all of my AD users to their full > [EMAIL PROTECTED] form on the Linux domain members. I'd like lookups to be > properly canonical. Is this possible? No. But I go have a patch pending that does the reverse: $ getent passwd [EMAIL PROTECTED] AD\lizard:*:100026:10:Lee Zard:/home/win/AD/lizard:/bin/bash cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGjk24IR7qMdg1EfYRAhv8AJ4qUXtX31nYsBfnu0n3vLUKOatsQACfQXUG 7Q5h7Sf+FLGSuJAA866FU2U= =GPfp -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind idmap customization
I would like to have winbind map all of my AD users to their full [EMAIL PROTECTED] form on the Linux domain members. I'd like lookups to be properly canonical. Is this possible? 'getent passwd user' should return: [EMAIL PROTECTED]:*:1786588783:1786588745:Mr Man:/home/whatever:/bin/bash I'm finding my options are to either have the local names be plain, unprefixed, or prefixed, but without the ability to do canonical mappings. It can either be `user` or `DOM\user`. But if it's DOM\user, lookups for 'user' don't work properly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba