samba - Nov 2005 - NT/UNIX username mapping possible directly via tdbsam?

Hello everyone,

I've been wondering if NT and UNIX username mapping can be done directly
via the SAM database instead of the 'username map = <filename>'
option
in smb.conf.

The problem with 'username map' files is that the mappings seem to work
only in one direction, namely from NT towards UNIX usernames. However,
I'd like to achieve a true, bi-directional one-to-one mapping, e.g.
between UNIX username 'root' and NT username 'Administrator'.

The command 'pdbedit -Lv <username>' shows separate fields for
both UNIX
and NT usernames. (I'm using the tdbsam backend, btw.) Will Samba
operate correctly if those entries contain different usernames?

I've enhanced 'pdbedit' on my system so that it allows manipulation
of
the 'NT username' field. Is this smart or stupid? I haven't yet had
the
opportunity to try this in a working Samba environment. Maybe someone
has technical advice or knowledge on what I'm trying to do?


Thanks,

Dominik

-- 
http://www.fastmail.fm - Faster than the air-speed velocity of an
                          unladen european swallow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dominik Schuppli wrote:
| Hello everyone,
|
| I've been wondering if NT and UNIX username mapping can
| be done directly via the SAM database instead of
| the 'username map = <filename>' option in smb.conf.
|
| The problem with 'username map' files is that the
| mappings seem to work only in one direction, namely
| from NT towards UNIX usernames. However, I'd like
| to achieve a true, bi-directional one-to-one
| mapping, e.g. between UNIX username 'root' and NT
| username 'Administrator'.

What would you expect by "going in the reverse direction"?
Can you give me an example?

| The command 'pdbedit -Lv <username>' shows separate fields
| for both UNIX and NT usernames. (I'm using the tdbsam
| backend, btw.) Will Samba operate correctly if those
| entries contain different usernames?

I think the nt user name is essentially unused.

| I've enhanced 'pdbedit' on my system so that it
| allows manipulation of the 'NT username' field. Is this smart
| or stupid? I haven't yet had the opportunity to try
| this in a working Samba environment. Maybe someone
| has technical advice or knowledge on what I'm trying to do?




cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"There's an anonymous coward in all of us."              
--anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDi03sIR7qMdg1EfYRAm0pAKDUSLwpiYRbIgXmkEnaf+2QQm04NACg3Vrk
MkEzA6V2lqGShw8AJNR3FBg=Htvj
-----END PGP SIGNATURE-----

Hello everyone,

I've been wondering if NT and UNIX username mapping can be done directly 
via the SAM database instead of the 'username map = <filename>'
option
in smb.conf.

The problem with 'username map' files is that the mappings seem to work 
only in one direction, namely from NT towards UNIX usernames. However, 
I'd like to achieve a true, bi-directional one-to-one mapping, e.g. 
between UNIX username 'root' and NT username 'Administrator'.

The command 'pdbedit -Lv <username>' shows separate fields for
both UNIX
and NT usernames. (I'm using the tdbsam backend, btw.) Will Samba 
operate correctly if those entries contain different usernames?

I've enhanced 'pdbedit' on my system so that it allows manipulation
of
the 'NT username' field. Is this smart or stupid? I haven't yet had
the
opportunity to try this in a working Samba environment. Maybe someone 
has technical advice or knowledge on what I'm trying to do?


Thanks,

Dominik

"Gerald (Jerry) Carter" <jerry@samba.org>
said:
> | The problem with 'username map' files is that the
> | mappings seem to work only in one direction, namely
> | from NT towards UNIX usernames. However, I'd like
> | to achieve a true, bi-directional one-to-one
> | mapping, e.g. between UNIX username 'root' and NT
> | username 'Administrator'.
> 
> What would you expect by "going in the reverse direction"?
> Can you give me an example?
Certainly. Assume again that I want to map UNIX username 'root' to
Windows username 'Administrator' (and vice versa). Let's say I have
a
file on a UNIX machine owned by 'root'. When I then look at this
file's
security properties on a Windows machine (via Samba share) I will see a
entry for 'DOMAIN\root'. I would prefer to see
'DOMAIN\Administrator'.

The reason for this is that I am migrating an NT4 domain to Samba. Some
users have quite long NT usernames, and I want to keep the corresponding
UNIX account names short (max. 8 characters). However, it would be nice
if this username change would be completely transparent (ie. not
noticeable on Windows domain member clients).

Understand that getting this to work is not essential, however it would
make the server migration even more perfect and potentially avoid
confusion with some users.

> | The command 'pdbedit -Lv <username>' shows separate fields
> | for both UNIX and NT usernames.
> 
> I think the nt user name is essentially unused.
Ah. That'd explain why 'pdbedit' doesn't have an option to
manipulate
this entry. :-)


-- Dominik

-- 
http://www.fastmail.fm - Access all of your messages and folders
                          wherever you are