Using upn for winbind login
Gerald (Jerry) Carter
jerry at samba.org
Mon Jan 26 14:44:14 GMT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Diego,
> Hello all.
>
> I know I'm bringing up an old topic, but I couldn't find any solution.
>
> Here at unibo we have quite a complex AD struct, but I'm interested only in two domains: PERSONALE.DIR.UNIBO.IT and STUDENTI.DIR.UNIBO.IT .
>
> I'd need to authenticate some users (placed in an appropriate AD group), from both domains, on a machine joined to PERSONALE, using their upn as login name. The bit that's not working is the "using upn as login name": I can correctly login by personale+diego.zuccato (personale+ is optional, since it's the default domain) but fail when I try to login with my upn.
> Seems winbind parameter krb5_auth have no effect (IIUC upn login is handled by Kerberor5).
> The really strange thing is that, in auth.log, I have two lines like:
> ... pam_winbind(login:auth): user 'diego.zuccato at unibo.it' Ok
>
> "wbinfo -n diego.zuccato at unibo.it" returns my SID. And it works for users in the other domain, too.
> I'm sure I'm missing something, but can't spot WHAT :-(
>
> Could someone please point me in the right direction?
>
The UPN login will only work with a native mode AD domain. Assuming
you have verified this. The following is a simple test for the UPN/SID
translation:
$ wbinfo -n user at realm
cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJfcw+IR7qMdg1EfYRArDsAJ4q2q8bV2DZP2l/52ANTPvY9HdjbQCfYXez
6dhHORopY7FExogRu5nfUZw=
=ox5N
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list