Hi, we want to set up a samba-server with an ldap-backend (so far no problem, got this running already) but want the users to login to workstations using their email-address instead of a "normal" login-name. I already figured out that i cannot add unix users with an "@" in their login neither via "useradd" nor via "smbldap-useradd", so i was thinking about some username-mapping ("username map" in smb.conf). My question is: is it possible to map for example "me@home.com" to some sort of "me_at_home.com" or "me_at_home_com"? And if yes, what replacement for the "@" works best? Please do not ask "why do you want to use email-addresses as login". This is a requirement from my boss and i can't do anything about it. At least not as long as i've got a definite "won't work" from you guys. :) Thanks in advance. Oliver Heering Medienzentrum der Universit?t Dortmund http://www.medienzentrum.uni-dortmund.de
Gerald (Jerry) Carter
2005-Nov-08 13:27 UTC
[Samba] Possible to have Email-Adresses as logins?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oliver Heering wrote:> Hi, > > we want to set up a samba-server with an ldap-backend (so far no > problem, got this running already) but want the users to login to > workstations using their email-address instead of a "normal" > login-name. > > I already figured out that i cannot add unix users with an "@" in > their login neither via "useradd" nor via "smbldap-useradd", so i was > thinking about some username-mapping ("username map" in smb.conf). > > My question is: is it possible to map for example "me@home.com" to > some sort of "me_at_home.com" or "me_at_home_com"? And if yes, what > replacement for the "@" works best?Yeah. I think this will work. Setup an user entry like dn: .... mail: foo@domain.com uid: foo and then include a username map script which is basically an `ldapsearch .... "(mail=$1)" uid` See the smb.conf(5) man page for details. cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "There's an anonymous coward in all of us." --anonymous -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDcKjHIR7qMdg1EfYRAv/4AJ97vfTeJCCzWzVqmQKNib0MQBDeMQCfRrbo +yDoQJOCOtTc2MXt06uOQ40=uvF2 -----END PGP SIGNATURE-----
On Tue, 2005-11-08 at 14:00 +0100, Oliver Heering wrote:> Hi, > > we want to set up a samba-server with an ldap-backend (so far no > problem, got this running already) but want the users to login to > workstations using their email-address instead of a "normal" > login-name. > > I already figured out that i cannot add unix users with an "@" in > their login neither via "useradd" nor via "smbldap-useradd", so i was > thinking about some username-mapping ("username map" in smb.conf). > > My question is: is it possible to map for example "me@home.com" to > some sort of "me_at_home.com" or "me_at_home_com"? And if yes, what > replacement for the "@" works best? > > Please do not ask "why do you want to use email-addresses as login". > This is a requirement from my boss and i can't do anything about it. > At least not as long as i've got a definite "won't work" from you > guys. :) >---- You could probably make it work but at a cost of breaking other functions which really doesn't make much sense. I'm sure that your boss has a good idea in trying to mandate the setup but he is apparently unaware that the best automation is that which operates with as little human intervention as possible. Since it is impossible to have a posix account with the '@' symbol (and even if possible, a rather stupid thing to have a home directory with the '@' symbol), and a posix account is required by samba, the only way to accomplish the mandate would be for samba to use the 'mail' attribute within LDAP but fall back on uid/cn attribute for posix which cannot be accomplished without hacking the extremely complicated PADL stuff - which is certain to break in future upgrades. You should point out to your boss that LDAP (like openldap) is rapidly changing and a broken setup today will simply generate much more difficulty in future upgrades and when it comes to things like ACL's and file ownership, these things are incredibly tedious to fix afterwards. A login account is actually much more than a login account. You can pretty much get SSO by using LDAP for posix and samba accounts by using the exact same uid/cn scheme and having both attributes and have the email address simply the @domain.tld afterwards and thereby have no issues with username mapping which is a tedious manual task of maintenance. For example...in my setup [root@srv1 opt]# ldapsearch -x -h localhost -D 'cn=admin,dc=azapple,dc=com' -W '(uid=craig)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (uid=craig) # requesting: ALL # # craig, People, azapple.com dn: uid=craig,ou=People,dc=azapple,dc=com shadowLastChange: 12340 sambaLMPassword: passwd_hash_removed sambaNTPassword: passwd_hash_removed sn: White givenName: Craig sambaPwdCanChange: 1091395680 sambaPwdMustChange: 2147483647 sambaPwdLastSet: 1091395680 labeledURI: http://linuxserver/horde/kronolith/fb.php?c=craig shadowMax: 99999 sambaProfilePath: \\srv1\profiles\craig sambaLogonScript: logon.bat cn: Craig White uidNumber: 500 shadowWarning: 7 sambaPrimaryGroupSID: S-1-5-21-SID_REMOVED-513 sambaAcctFlags: [U ] gecos: Craig White userPassword:: passwd_has_removed mail: craig@azapple.com uid: craig sambaHomePath: \\srv1\homes\craig homeDirectory: /home/craig objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: top objectClass: calEntry gidNumber: 500 sambaDomainName: AZAPPLE sambaSID: S-1-5-21-SID_REMOVED-1000 sambaHomeDrive: h: calFBURL: http://srv1/horde/kronolith/fb.php?c=craig loginShell: /bin/bash my userPasswd, samba-LM/NT_passwords are the same so I log into samba, log in to mail, web pages (using Authz_LDAP), etc. all with the same id (craig) and the same password. My email address is craig@azapple.com so there's little effort to anything at all. This seems to be the best of all worlds at the moment. HTH Craig PS: for those interested, I use webmin <http://www.webmin.com> to create/maintain user accounts and the above entry is created simply by entering cn, givenname, sn, mail, password attributes and all the rest are automatically entered (but still changeable). I presume that much the same can be done with things like GQ, LAM, phpLDAPAdmin, etc. - choose your poison. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.