samba - Nov 2005 - Possible to have Email-Adresses as logins?

Hi,

we want to set up a samba-server with an ldap-backend (so far no
problem, got this running already) but want the users to login to
workstations using their email-address instead of a "normal"
login-name.

I already figured out that i cannot add unix users with an "@" in
their login neither via "useradd" nor via "smbldap-useradd",
so i was
thinking about some username-mapping ("username map" in smb.conf).

My question is: is it possible to map for example "me@home.com" to
some sort of "me_at_home.com" or "me_at_home_com"? And if
yes, what
replacement for the "@" works best?

Please do not ask "why do you want to use email-addresses as login".
This is a requirement from my boss and i can't do anything about it.
At least not as long as i've got a definite "won't work" from
you
guys. :)

Thanks in advance.

Oliver Heering
Medienzentrum der Universit?t Dortmund
http://www.medienzentrum.uni-dortmund.de

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oliver Heering wrote:
> Hi,
> 
> we want to set up a samba-server with an ldap-backend (so far no
> problem, got this running already) but want the users to login to
> workstations using their email-address instead of a "normal"
> login-name.
> 
> I already figured out that i cannot add unix users with an "@" in
> their login neither via "useradd" nor via
"smbldap-useradd", so i was
> thinking about some username-mapping ("username map" in
smb.conf).
> 
> My question is: is it possible to map for example "me@home.com"
to
> some sort of "me_at_home.com" or "me_at_home_com"? And
if yes, what
> replacement for the "@" works best?
Yeah.  I think this will work.  Setup an user entry like

dn: ....
mail: foo@domain.com
uid: foo

and then include a username map script which is basically an
`ldapsearch .... "(mail=$1)" uid`

See the smb.conf(5) man page for details.






cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"There's an anonymous coward in all of us."              
--anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDcKjHIR7qMdg1EfYRAv/4AJ97vfTeJCCzWzVqmQKNib0MQBDeMQCfRrbo
+yDoQJOCOtTc2MXt06uOQ40=uvF2
-----END PGP SIGNATURE-----

On Tue, 2005-11-08 at 14:00 +0100, Oliver Heering wrote:
> Hi,
> 
> we want to set up a samba-server with an ldap-backend (so far no
> problem, got this running already) but want the users to login to
> workstations using their email-address instead of a "normal"
> login-name.
> 
> I already figured out that i cannot add unix users with an "@" in
> their login neither via "useradd" nor via
"smbldap-useradd", so i was
> thinking about some username-mapping ("username map" in
smb.conf).
> 
> My question is: is it possible to map for example "me@home.com"
to
> some sort of "me_at_home.com" or "me_at_home_com"? And
if yes, what
> replacement for the "@" works best?
> 
> Please do not ask "why do you want to use email-addresses as
login".
> This is a requirement from my boss and i can't do anything about it.
> At least not as long as i've got a definite "won't work"
from you
> guys. :)
> 
----
You could probably make it work but at a cost of breaking other
functions which really doesn't make much sense. I'm sure that your boss
has a good idea in trying to mandate the setup but he is apparently
unaware that the best automation is that which operates with as little
human intervention as possible.

Since it is impossible to have a posix account with the '@' symbol (and
even if possible, a rather stupid thing to have a home directory with
the '@' symbol), and a posix account is required by samba, the only way
to accomplish the mandate would be for samba to use the 'mail' attribute
within LDAP but fall back on uid/cn attribute for posix which cannot be
accomplished without hacking the extremely complicated PADL stuff -
which is certain to break in future upgrades. You should point out to
your boss that LDAP (like openldap) is rapidly changing and a broken
setup today will simply generate much more difficulty in future upgrades
and when it comes to things like ACL's and file ownership, these things
are incredibly tedious to fix afterwards. A login account is actually
much more than a login account.

You can pretty much get SSO by using LDAP for posix and samba accounts
by using the exact same uid/cn scheme and having both attributes and
have the email address simply the @domain.tld afterwards and thereby
have no issues with username mapping which is a tedious manual task of
maintenance.

For example...in my setup

[root@srv1 opt]# ldapsearch -x -h localhost -D
'cn=admin,dc=azapple,dc=com' -W '(uid=craig)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=craig)
# requesting: ALL
#

# craig, People, azapple.com
dn: uid=craig,ou=People,dc=azapple,dc=com
shadowLastChange: 12340
sambaLMPassword: passwd_hash_removed
sambaNTPassword: passwd_hash_removed
sn: White
givenName: Craig
sambaPwdCanChange: 1091395680
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1091395680
labeledURI: http://linuxserver/horde/kronolith/fb.php?c=craig
shadowMax: 99999
sambaProfilePath: \\srv1\profiles\craig
sambaLogonScript: logon.bat
cn: Craig White
uidNumber: 500
shadowWarning: 7
sambaPrimaryGroupSID: S-1-5-21-SID_REMOVED-513
sambaAcctFlags: [U          ]
gecos: Craig White
userPassword:: passwd_has_removed
mail: craig@azapple.com
uid: craig
sambaHomePath: \\srv1\homes\craig
homeDirectory: /home/craig
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: top
objectClass: calEntry
gidNumber: 500
sambaDomainName: AZAPPLE
sambaSID: S-1-5-21-SID_REMOVED-1000
sambaHomeDrive: h:
calFBURL: http://srv1/horde/kronolith/fb.php?c=craig
loginShell: /bin/bash

my userPasswd, samba-LM/NT_passwords are the same so I log into samba,
log in to mail, web pages (using Authz_LDAP), etc. all with the same id
(craig) and the same password. My email address is craig@azapple.com so
there's little effort to anything at all. This seems to be the best of
all worlds at the moment.

HTH

Craig

PS: for those interested, I use webmin <http://www.webmin.com> to
create/maintain user accounts and the above entry is created simply by
entering cn, givenname, sn, mail, password attributes and all the rest
are automatically entered (but still changeable). I presume that much
the same can be done with things like GQ, LAM, phpLDAPAdmin, etc. -
choose your poison.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.