winbind pam login using enterprise names
Uri Simchoni
uri_simchoni at hotmail.com
Wed Feb 23 08:31:09 MST 2011
I just tried "winbind normalize names", and it didn't work. I think it's not just a name issue.
Suppose I define a new user in "Active Directory Users and Computers". There's the "user logon name" which maps to userPrincipalName and the pre-Windows 2000 name which maps to sAMAccountName. The user logon name doesn't have to be something at mydomain.com - I can add another suffix to the domain, say "mysuffix" and set the logon name to "something at mysuffix".
So in order to identify the user in upn form I need to supply, at the networking level, the entire userPrincipalName. Just the part before the '@' is not unique.
I therefore tried "wbinfo -K something at mysuffix%password" and it didn't work. Then I did some studying.
If I'm not mistaken, "upn at mysuffix" is what's called an Enterprise name (an alias to the real account name) and a whole different negotiation is needed to work with it (as I indicated in my original message - using a name type of "Enterprise Name" and adding the "Canonicalize" KDC option). But then I got cold feet - hasn't this been solved already? it's been around in Windows domains since Win2k...
Thanks,
Uri.
----------------------------------------
> Date: Wed, 23 Feb 2011 15:31:11 +0100
> Date: Wed, 23 Feb 2011 15:31:11 +0100
> From: Volker.Lendecke at SerNet.DE
> To: uri_simchoni at hotmail.com
> CC: samba-technical at lists.samba.org
> Subject: Re: winbind pam login using enterprise names
>
> On Wed, Feb 23, 2011 at 04:13:15PM +0200, Uri Simchoni wrote:
> >
> > Hi,
> >
> > I've been trying to make my samba setup (3.2.15) support
> > PAM logins using upn format (user at suffix).
>
> Have you tried "winbind normalize names = yes"?
>
> Volker
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
More information about the samba-technical
mailing list