Auth via ADS: using userPrincipalName as username

Gerald (Jerry) Carter jerry at samba.org
Mon Dec 20 21:11:06 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marc Lanctot wrote:
| Gerald (Jerry) Carter wrote:
|
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> Marc Lanctot wrote:
|> | Hi,
|> |
|> | When using winbind, is there a way I could use a user's
|> | UPN  (userPrincipalName) as their login username instead
|> | of DOMAIN (winbind  separator) sAMAccountName ?
|>
|> doesn't work right now.  it's on the todo list to explore.
|> Just a lot of test cases to look at with any chances.  if you
|> have a patch, i'd be willing tospend some time with it.
|>
|> There's a bugzilla ID on this somewhere....
|
|
| Ok, I found the code .. in libads/ldap.c, in the method
| ads_pull_username. You have code there for getting the
| userPrincipal  na,e that's #if0'd .. and it seems like
| you're only getting the first part of the userPrincipalName.
|
| So I have 2 questions:
|
| 1. Why is the code there not in use?
| 2. Why do you only return the first part of the UPN?

The logic doesn't work if the sAMAccountName and the principal
portion of the UPN are not the same.  Windows will not return
the SID for a principal name.  Only the same account name
and the full UPN.  All of the logic in winbindd assumes the
DOMAIN\user format.  You can't just grab the principal portion
of the UPN.  (as you can see from the code).

The other issue when working on this is that
	'getent passwd sAMAccountName'

and

	'getent passwd gerald.carter at REALM'

have to return the same entry.

PS: I'm copying this back onto samba-technical in case anyone else
is interested.




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBxz/qIR7qMdg1EfYRAlufAJ9S4v/f2BbifLmQORDDWNjxddiK7gCdFrGv
zjBdcaTL8XwfWFkK41ni8hw=
=aEJw
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list