Experience with migration from samba3 to samba4 and ovirt tests
Alejandro
aescanero at gmail.com
Tue Nov 13 14:59:58 MST 2012
From
http://theessentialexchange.com/blogs/michael/archive/2007/11/13/the-user-principle-name-and-you.aspx
:
"The user principal name is not a required attribute (that is, Active
Directory does not require it to be set). The new user wizard in ADU&C
makes you set it - but you can go in and delete it from the Account
Properties page later, and when you are creating users programmatically
(such as via scripting), it doesn't need to be specified at all."
Is clear, AD don't need userPrincipalName, is ADU&C the creator of this
attribute.
Is possible to add a option in migration from samba3 and creation of user
(both with samba-tool) to add this attribute?
2012/11/13 Alejandro <aescanero at gmail.com>
> Ok, will do some tests tomorrow to search if UPN is set when a user is
> created in AD in a Windows Server.
>
>
>
>
> 2012/11/13 Andrew Bartlett <abartlet at samba.org>
>
>> On Tue, 2012-11-13 at 22:36 +0100, Alejandro wrote:
>> >
>> >
>> >
>> > 2012/11/13 Andrew Bartlett <abartlet at samba.org>
>> > On Tue, 2012-11-13 at 17:02 +0100, Alejandro wrote:
>> > > I use the samba-tool domain samba3upgrade to move from
>> > samba3 ldap to
>> > > samba4. All was ok, but when I was triing to add domain to a
>> > Ovirt 3.1
>> > > Engine I find that no user has a UPN (UserPrincipalName)
>> > attribute.
>> > >
>> > > Ovirt use UPN in the ldap search to find the username with
>> > the usual format
>> > > LOGIN at DOMAINFQDN, but I find me forced to use a ldap tool to
>> > add the UPN
>> > > attribute to the needed users.
>> > >
>> > > Is a problem with migration or Samba4 don't create the UPN
>> > attrbute?
>> >
>> >
>> > I've had folks mention this before, but I'm not aware how we
>> > are any
>> > different to a windows AD DC in this regard. If you can show
>> > me how we
>> > differ, we can fix this up.
>> >
>> > Why does it have to do a search? Against AD, if you are doing
>> > 'ldap
>> > authentication' you can just log in with user at domain.com as
>> > the 'bind
>> > DN'.
>> >
>> >
>> >
>> >
>> > Appear that Ovirt do not only ldap authentication, is doing all the
>> > searchs in UPD format, example of filter to add Ovirt to the domain:
>> > filter=(&(sAMAccountType=805306368)(userPrincipalName=LOGIN at DOMAINFQDN
>> ))
>> >
>> >
>> >
>> > A search for any user is like:
>> >
>> filter=(&(sAMAccountType=805306368)(|(givenname=TESTLOGIN)(sn=TESTLOGIN)(samaccountname=TESTLOGIN)(userPrincipalName=TESTLOGIN)))
>> >
>> >
>> >
>> > Ovirt need the UPN attribute even for search.
>> >
>> >
>> > I can't test any Windows Server for this attribute (I don't have any
>> > AD where I work).
>>
>> Trial versions of Windows server are available for download and testing
>> from Microsoft:
>>
>> https://www.microsoft.com/en-us/download/details.aspx?id=8371
>>
>> Andrew Bartlett
>>
>>
>> --
>> Andrew Bartlett
>> http://samba.org/~abartlet/
>> Authentication Developer, Samba Team http://samba.org
>>
>>
>>
>
>
> --
> Alejandro Escanero Blanco
> Consultor de sistemas basados en fuentes abiertas
> Desarrollador de FusionDirectory (http://www.fusiondirectory.org)
> Blog: http://www.disasterproject.com
> Jabber: blainett at jabberes.com
>
>
--
Alejandro Escanero Blanco
Consultor de sistemas basados en fuentes abiertas
Desarrollador de FusionDirectory (http://www.fusiondirectory.org)
Blog: http://www.disasterproject.com
Jabber: blainett at jabberes.com
More information about the samba-technical
mailing list