winbindd UPN problem
fules at balabit.hu
Tue Jan 27 12:59:01 GMT 2009
We are developing a server-like application that uses NTLM(v2) authentication in
a domain environment via libwbclient/winbindd. Using regular SAM ('DOMAIN\user')
credentials everyhing works fine, however when the user supplies UPN-style
('user at DOMAIN') ones, the authentication fails with NT_STATUS_NO_SUCH_USER.
Checking the fields of the NTLM Authenticate, the client sends an empty string
for DomainName and the 'user at DOMAIN' string for UserName, and (checking the
process with a known-password account) checking the NtChallengeResponse field
using the hand-calculated NT hash, it is valid also.
However, if we pass the abovementioned values to 'wbcAuthenticateUserEx()',
Checking the log of the winbindd, it seems that it sends a 'netr_SamInfo2'
structure to the DC (ms terminology: NETLOGON_VALIDATION_SAM_INFO2), which
indeed contains only a SAM-style username field, while the UPN name should be
encapsulated into a 'netr_SamInfo6' structure (ms terminology:
NETLOGON_VALIDATION_SAM_INFO4, MS-NRPN 126.96.36.199.13.), so that's a good reason for
the NT_STATUS_NO_SUCH_USER error.
(There's a minor issue in librpc/gen_ndr/netlogon.h that
'netr_SamInfo6::principle' is mistyped, most probably it should be named
My problem is that I don't know how I could make winbindd send such a
'netr_SamInfo6' instead of a 'netr_SamInfo2', since the only references I found
for this type is in ndr_netlogon.c, and those are only the parse/gen primitives.
It seems that nobody is using netr_SamInfo6 at this moment, so that's where I'm
kind of stuck now.
Since I'm a bit out of ideas, I would welcome any suggestions or hints on this
Thanks in advance,
More information about the samba-technical