winbindd UPN problem

fules fules at
Tue Jan 27 12:59:01 GMT 2009

Hi All,

We are developing a server-like application that uses NTLM(v2) authentication in
a domain environment via libwbclient/winbindd. Using regular SAM ('DOMAIN\user')
credentials everyhing works fine, however when the user supplies UPN-style
('user at DOMAIN') ones, the authentication fails with NT_STATUS_NO_SUCH_USER.

Checking the fields of the NTLM Authenticate, the client sends an empty string
for DomainName and the 'user at DOMAIN' string for UserName, and (checking the
process with a known-password account) checking the NtChallengeResponse field 
using the hand-calculated NT hash, it is valid also.

However, if we pass the abovementioned values to 'wbcAuthenticateUserEx()', 

Checking the log of the winbindd, it seems that it sends a  'netr_SamInfo2' 
structure to the DC (ms terminology: NETLOGON_VALIDATION_SAM_INFO2), which 
indeed contains only a SAM-style username field, while the UPN name should be 
encapsulated into a 'netr_SamInfo6' structure (ms terminology: 
NETLOGON_VALIDATION_SAM_INFO4, MS-NRPN, so that's a good reason for 

(There's a minor issue in librpc/gen_ndr/netlogon.h that 
'netr_SamInfo6::principle' is mistyped, most probably it should be named 
'principal' instead.)

My problem is that I don't know how I could make winbindd send such a
'netr_SamInfo6' instead of a 'netr_SamInfo2', since the only references I found 
for this type is in ndr_netlogon.c, and those are only the parse/gen primitives. 
It seems that nobody is using netr_SamInfo6 at this moment, so that's where I'm 
kind of stuck now.

Since I'm a bit out of ideas, I would welcome any suggestions or hints on this 

Thanks in advance,


Simon Gabor

More information about the samba-technical mailing list