Auth via ADS: using userPrincipalName as username (ref bug
#1909)
Marc Lanctot
marc.lanctot at mail.mcgill.ca
Mon Dec 20 21:58:00 GMT 2004
Gerald (Jerry) Carter wrote:
> The logic doesn't work if the sAMAccountName and the principal
> portion of the UPN are not the same.
> Windows will not return
> the SID for a principal name. Only the same account name
> and the full UPN. All of the logic in winbindd assumes the
> DOMAIN\user format. You can't just grab the principal portion
> of the UPN. (as you can see from the code).
>
> The other issue when working on this is that
> 'getent passwd sAMAccountName'
>
> and
>
> 'getent passwd gerald.carter at REALM'
>
> have to return the same entry.
>
> PS: I'm copying this back onto samba-technical in case anyone else
> is interested.
Hmm.
Well we can go 2 routes, and I'm offering to do either of them.
a) check the usernames to see if they passed in a UPN or a
sAMAccountName, if a UPN do a few ADS ldap queries, and convert the
corresponding entered UPN to its sAMAccountName. Then proceed through
the winbind logic using the mapped username. This requires no
significant changes to the winbind logic.
- or -
b) support both the userPrincipalNames and/or the sAMAccountNames,
possibly differentiated in the winbind logic by a parameter in smb.conf.
This would require significant changes to the logic of winbind, but
might be a better long-term modification.
It is not clear to me which option is better because I'm not very
familiar with the progress/history/code of Active Directory nor
Samba/Winbind. Obviously option (a) would be easiest for me, but will
the sAMAccountName ever be phased out by AD? These are the type of
things I don't know.
So, I'd like some insight from the developers before implementing any
changes.
Marc
More information about the samba-technical
mailing list