[Samba] [EXTERNAL] Re: Unable to authenticate to share using UPN

[Rowland Penny]

On 27/06/2023 18:49, Mike Robbert wrote:
> I am not trying to authenticate using the uid field. I would like it if 
> we could, but I realize that is not possible. I believe that Samba is 
> authenticating against the samaccountname field, but I believe that the 
> protocol allows for authentication against the UPN field. The problem, 
> as far as I can interpret from the logs, is that something in the Samba 
> or Winbind code is mangling the username that is sent from the client 
> such that the full UPN never gets tried against the DC.
> 
> I don’t need chown to work with the UPN. We will be switching our idmap 
> backend to use SSSD (idmap_sss provided by SSSD) and SSSD is mapping 
> usernames to the uid field in AD with the ldap_user_name option in 
> sssd.conf. I don’t know how they handle the fact that uid can have 
> multiple values, but we are ensuring that all user objects only have a 
> single uid value in our domain, so it seems to work fine for us.

I cannot stop you using sssd and I will not try, but I can point out, 
from my testing, Samba will only use a UPN that matches the 
samaccountname at kerberos.realm.tld format.
Whether this correct or not, I do not know, but it appears to be the way 
that Samba works.
I should also point out that using sssd with Samba is unsupported by 
red-hat.

> 
> Am I missing some configuration option that will pass a full UPN from 
> the client, through Samba/Winbind on to the AD DC without pulling off 
> the UPN suffix? If this doesn’t currently exist what would it take to 
> get it added to the code?

I know of no such option and if you want such an option, then I think
you or someone else would have to write the code and get it through the 
acceptance process.

Rowland