Does Samba support UPN authentication using NTLM?

[Jeremy Allison]

On Wed, Aug 31, 2016 at 12:35:10AM +0000, Hemanth Thummala wrote:
> Hi Jeremy,
> 
> Thanks for the quick response. Here I have attached the winbindd.log and client.log. User name is “user9”.

Not sure if this has what I need. It may be that
smbclient does the conversion from user at domain to
user\DOMAIN before going onto the wire.

Can you also send the debug level 10 from the
smbclient -d10 command ?

> On 8/30/16, 5:18 PM, "Jeremy Allison" <jra at samba.org> wrote:
> 
> >On Tue, Aug 30, 2016 at 11:34:51PM +0000, Hemanth Thummala wrote:
> >> Hi,
> >> 
> >> We are using samba 4.3.11 stack as a member server. We could see that authentication for UPN(user at domain) formats failing with STATUS NO SUCH USER. Looking at the code, we are not actually converting the UPN to DOMAIN\USER format before contacting the DC. Whereas UPN access works fine with Kerberos auth.
> >> 
> >> What I understood is that NTLM doesn’t support UPN format. We might want to convert the user format(to DOMAIN\user) before checking with DC which we are not doing currently. I would like to know if there is any plan to support this in future.
> >> 
> >> On the other hand, I could see that smbclient works with UPN format. Looks like we are converting the name format here to DOMAIN\user. I couldn’t trace out the place where we do this conversion. If we could do the conversion here, can't we use the same thing in winbindd as well?
> >
> >Can you post the debug level 10 log from the smbclient working
> >with UPN and converting to DOMAIN\user. We should be able to
> >spot the point at which the conversion takes place from the
> >logs produced (and then we can look into doing the same
> >elsewhere).