winbind pam login using enterprise names

Uri Simchoni uri_simchoni at
Wed Feb 23 08:31:09 MST 2011

I just tried "winbind normalize names", and it didn't work. I think it's not just a name issue.

Suppose I define a new user in "Active Directory Users and Computers". There's the "user logon name" which maps to userPrincipalName and the pre-Windows 2000 name which maps to sAMAccountName. The user logon name doesn't have to be something at - I can add another suffix to the domain, say "mysuffix" and set the logon name to "something at mysuffix".
So in order to identify the user in upn form I need to supply, at the networking level, the entire userPrincipalName. Just the part before the '@' is not unique.

I therefore tried "wbinfo -K something at mysuffix%password" and it didn't work. Then I did some studying.

If I'm not mistaken, "upn at mysuffix" is what's called an Enterprise name (an alias to the real account name) and a whole different negotiation is needed to work with it (as I indicated in my original message - using a name type of "Enterprise Name" and adding the "Canonicalize" KDC option). But then I got cold feet - hasn't this been solved already? it's been around in Windows domains since Win2k...


> Date: Wed, 23 Feb 2011 15:31:11 +0100
> Date: Wed, 23 Feb 2011 15:31:11 +0100
> From: Volker.Lendecke at SerNet.DE
> To: uri_simchoni at
> CC: samba-technical at
> Subject: Re: winbind pam login using enterprise names
> On Wed, Feb 23, 2011 at 04:13:15PM +0200, Uri Simchoni wrote:
> >
> > Hi,
> >
> > I've been trying to make my samba setup (3.2.15) support
> > PAM logins using upn format (user at suffix).
> Have you tried "winbind normalize names = yes"?
> Volker
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen

More information about the samba-technical mailing list