Auth via ADS: using userPrincipalName as username (ref bug #1909)

Marc Lanctot marc.lanctot at mail.mcgill.ca
Mon Dec 20 21:58:00 GMT 2004


Gerald (Jerry) Carter wrote:

> The logic doesn't work if the sAMAccountName and the principal
> portion of the UPN are not the same. 

> Windows will not return
> the SID for a principal name.  Only the same account name
> and the full UPN.  All of the logic in winbindd assumes the
> DOMAIN\user format.  You can't just grab the principal portion
> of the UPN.  (as you can see from the code).
> 
> The other issue when working on this is that
>     'getent passwd sAMAccountName'
> 
> and
> 
>     'getent passwd gerald.carter at REALM'
> 
 > have to return the same entry.
 >
 > PS: I'm copying this back onto samba-technical in case anyone else
 > is interested.

Hmm.

Well we can go 2 routes, and I'm offering to do either of them.

a) check the usernames to see if they passed in a UPN or a 
sAMAccountName, if a UPN do a few ADS ldap queries, and convert the 
corresponding entered UPN to its sAMAccountName. Then proceed through 
the winbind logic using the mapped username. This requires no 
significant changes to the winbind logic.

                                 - or -

b) support both the userPrincipalNames and/or the sAMAccountNames, 
possibly differentiated in the winbind logic by a parameter in smb.conf. 
This would require significant changes to the logic of winbind, but 
might be a better long-term modification.

It is not clear to me which option is better because I'm not very 
familiar with the progress/history/code of Active Directory nor 
Samba/Winbind. Obviously option (a) would be easiest for me, but will 
the sAMAccountName ever be phased out by AD? These are the type of 
things I don't know.

So, I'd like some insight from the developers before implementing any 
changes.

Marc


More information about the samba-technical mailing list