[Samba] [EXTERNAL] Re: Unable to authenticate to share using UPN

Rowland Penny rpenny at samba.org
Sat Jun 24 09:16:42 UTC 2023 


On 23/06/2023 19:08, Mike Robbert wrote:
> Sorry about that I typed and sent a full message, but it looks like the entire body got swallowed up in transit. Here is the full text again. Let's hope this one works.
> 
> I have a server running CentOS 7.9 with the system provided Samba packages (4.10.16-24.el7_9). It is joined to an Active Directory domain and acting as a member server. The active Directory domain has a user object with among others, the following attributes defined
> sAMAccountName = m12345678
> gecos = Zach Detest
> gidNumer = 12345678
> uid = zach_detest
> uidNumer = 12345678
> unixHomeDirectory = /home/m12345678
> userPrincipalName = zach_destest at domain.tld
> 
> The smb.conf on the server looks like this:
> 
> [global]
>          additional dns hostnames = dct-hanas-2.domain.tld

Unless red-hat backported this, 'additional dns hostnames' didn't appear 
until Samba 4.11.0 at the earliest (I say that because I cannot find 
just when it was added, but it isn't in 'man smb.conf' for 4.10.x, but 
it is in 'man smb.conf' for 4.11.x).

>          debug class = Yes
>          debug pid = Yes
>          debug uid = Yes
>          disable spoolss = Yes
>          kerberos method = secrets and keytab
>          load printers = No
>          local master = No
>          log file = /var/log/samba/log.%I
>          max log size = 0
>          netbios name = SERVER-DEV
>          nt pipe support = No
>          printcap name = /dev/null
>          realm = ADDOM.DOMAIN.TLD
>          security = ADS
>          server min protocol = SMB2
>          server string = Fileserver %m
>          template homedir = /home/%U@%D
>          template shell = /bin/bash
>          unix extensions = No
>          winbind offline logon = Yes
>          winbind refresh tickets = Yes
>          winbind use default domain = Yes
>          workgroup = ADDOM
>          fruit:nfs_aces = no
>          idmap config * : range = 1-999
>          idmap config addom : unix_primary_group = yes
>          idmap config addom : unix_nss_info = yes
>          idamp config addom : schema_mode = rfc2307
>          idmap config addom : backend = ad
>          idmap config addom : range = 1000-999999999
>          idmap config * : backend = tdb

Do you mind if I ask why you are using such strange (to me) ranges ?
They would seem to preclude having any local users and groups.

>          acl group control = Yes
>          create mask = 0664
>          directory mask = 0775
>          dos filemode = Yes
>          force create mode = 0664
>          force directory mode = 0775
>          include = /etc/samba/samba-shares.share
>          map acl inherit = Yes
>          nt acl support = No
>          printing = bsd
>          read only = No
>          vfs objects = catia fruit streams_xattr
> 
> 
> [test-open]
>          path = /tmp/test-open
> 
> Both wbinfo and getent work to resolve this users information using either samaccountname or UPN
> 

They are the attributes that work with user searches, however 'uid' 
(being a multi value ldap attribute) doesn't, This isn't just a Samba or 
Unix thing, Windows works in the same way.

It looks to me (and I could be totally wrong) that sssd must have code 
that can use the 'uid' value and then set that as the owner of a file. 
If it is doing this, then how does it get around 'uid' being a multi 
valued attribute ?

It is strange you have raised this, Stefan Kania raised virtually the 
same subject about a week ago and during this week, a bug report was listed:

https://bugzilla.samba.org/show_bug.cgi?id=15399

I replied to Stefan here:

https://lists.samba.org/archive/samba/2023-June/245561.html

Rowland

More information about the samba mailing list