Dominik Schuppli
2005-Nov-28 13:14 UTC
[Samba] NT/UNIX username mapping possible directly via tdbsam?
Hello everyone, I've been wondering if NT and UNIX username mapping can be done directly via the SAM database instead of the 'username map = <filename>' option in smb.conf. The problem with 'username map' files is that the mappings seem to work only in one direction, namely from NT towards UNIX usernames. However, I'd like to achieve a true, bi-directional one-to-one mapping, e.g. between UNIX username 'root' and NT username 'Administrator'. The command 'pdbedit -Lv <username>' shows separate fields for both UNIX and NT usernames. (I'm using the tdbsam backend, btw.) Will Samba operate correctly if those entries contain different usernames? I've enhanced 'pdbedit' on my system so that it allows manipulation of the 'NT username' field. Is this smart or stupid? I haven't yet had the opportunity to try this in a working Samba environment. Maybe someone has technical advice or knowledge on what I'm trying to do? Thanks, Dominik -- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow
Gerald (Jerry) Carter
2005-Nov-28 18:35 UTC
[Samba] NT/UNIX username mapping possible directly via tdbsam?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dominik Schuppli wrote: | Hello everyone, | | I've been wondering if NT and UNIX username mapping can | be done directly via the SAM database instead of | the 'username map = <filename>' option in smb.conf. | | The problem with 'username map' files is that the | mappings seem to work only in one direction, namely | from NT towards UNIX usernames. However, I'd like | to achieve a true, bi-directional one-to-one | mapping, e.g. between UNIX username 'root' and NT | username 'Administrator'. What would you expect by "going in the reverse direction"? Can you give me an example? | The command 'pdbedit -Lv <username>' shows separate fields | for both UNIX and NT usernames. (I'm using the tdbsam | backend, btw.) Will Samba operate correctly if those | entries contain different usernames? I think the nt user name is essentially unused. | I've enhanced 'pdbedit' on my system so that it | allows manipulation of the 'NT username' field. Is this smart | or stupid? I haven't yet had the opportunity to try | this in a working Samba environment. Maybe someone | has technical advice or knowledge on what I'm trying to do? cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "There's an anonymous coward in all of us." --anonymous -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDi03sIR7qMdg1EfYRAm0pAKDUSLwpiYRbIgXmkEnaf+2QQm04NACg3Vrk MkEzA6V2lqGShw8AJNR3FBg=Htvj -----END PGP SIGNATURE-----
Dominik Schuppli
2005-Nov-28 22:45 UTC
[Samba] NT/UNIX username mapping possible directly via tdbsam?
Hello everyone, I've been wondering if NT and UNIX username mapping can be done directly via the SAM database instead of the 'username map = <filename>' option in smb.conf. The problem with 'username map' files is that the mappings seem to work only in one direction, namely from NT towards UNIX usernames. However, I'd like to achieve a true, bi-directional one-to-one mapping, e.g. between UNIX username 'root' and NT username 'Administrator'. The command 'pdbedit -Lv <username>' shows separate fields for both UNIX and NT usernames. (I'm using the tdbsam backend, btw.) Will Samba operate correctly if those entries contain different usernames? I've enhanced 'pdbedit' on my system so that it allows manipulation of the 'NT username' field. Is this smart or stupid? I haven't yet had the opportunity to try this in a working Samba environment. Maybe someone has technical advice or knowledge on what I'm trying to do? Thanks, Dominik
Dominik Schuppli
2005-Nov-29 12:08 UTC
[Samba] NT/UNIX username mapping possible directly via tdbsam?
"Gerald (Jerry) Carter" <jerry@samba.org> said:> | The problem with 'username map' files is that the > | mappings seem to work only in one direction, namely > | from NT towards UNIX usernames. However, I'd like > | to achieve a true, bi-directional one-to-one > | mapping, e.g. between UNIX username 'root' and NT > | username 'Administrator'. > > What would you expect by "going in the reverse direction"? > Can you give me an example?Certainly. Assume again that I want to map UNIX username 'root' to Windows username 'Administrator' (and vice versa). Let's say I have a file on a UNIX machine owned by 'root'. When I then look at this file's security properties on a Windows machine (via Samba share) I will see a entry for 'DOMAIN\root'. I would prefer to see 'DOMAIN\Administrator'. The reason for this is that I am migrating an NT4 domain to Samba. Some users have quite long NT usernames, and I want to keep the corresponding UNIX account names short (max. 8 characters). However, it would be nice if this username change would be completely transparent (ie. not noticeable on Windows domain member clients). Understand that getting this to work is not essential, however it would make the server migration even more perfect and potentially avoid confusion with some users.> | The command 'pdbedit -Lv <username>' shows separate fields > | for both UNIX and NT usernames. > > I think the nt user name is essentially unused.Ah. That'd explain why 'pdbedit' doesn't have an option to manipulate this entry. :-) -- Dominik -- http://www.fastmail.fm - Access all of your messages and folders wherever you are
Possibly Parallel Threads
- Practical guide to migrate from tdbsam to ldapsam
- Samba3-beta1 as a PDC and using tdbsam as passdb backend it takes the home-directory info from /etc/passwd
- pdbedit: importing smbpasswd to tdbsam
- tattooing of tdbsam backend with logon script value
- Are tdbsam and smbpasswd linked?