Using upn for winbind login

Gerald (Jerry) Carter jerry at
Mon Jan 26 14:44:14 GMT 2009

Hash: SHA1

Hi Diego,

> Hello all.
> I know I'm bringing up an old topic, but I couldn't find any solution.
> Here at unibo we have quite a complex AD struct, but I'm interested only in two domains: PERSONALE.DIR.UNIBO.IT and STUDENTI.DIR.UNIBO.IT .
> I'd need to authenticate some users (placed in an appropriate AD group), from both domains, on a machine joined to PERSONALE, using their upn as login name. The bit that's not working is the "using upn as login name": I can correctly login by personale+diego.zuccato (personale+ is optional, since it's the default domain) but fail when I try to login with my upn.
> Seems winbind parameter krb5_auth have no effect (IIUC upn login is handled by Kerberor5).
> The really strange thing is that, in auth.log, I have two lines like:
> ... pam_winbind(login:auth): user 'diego.zuccato at' Ok
> "wbinfo -n diego.zuccato at" returns my SID. And it works for users in the other domain, too.
> I'm sure I'm missing something, but can't spot WHAT :-(
> Could someone please point me in the right direction?

The UPN login will only work with a native mode AD domain. Assuming
you have verified this.  The following is a simple test for the UPN/SID

  $ wbinfo -n user at realm

cheers, jerry
- --
Samba                                    -------
Likewise Software          ---------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla -


More information about the samba-technical mailing list