Does Samba support UPN authentication using NTLM?

Isaac Boukris iboukris at
Wed Aug 31 21:33:49 UTC 2016


On Wed, Aug 31, 2016 at 2:34 AM, Hemanth Thummala
<hemanth.thummala at> wrote:
> Hi,
> We are using samba 4.3.11 stack as a member server. We could see that authentication for UPN(user at domain) formats failing with STATUS NO SUCH USER. Looking at the code, we are not actually converting the UPN to DOMAIN\USER format before contacting the DC. Whereas UPN access works fine with Kerberos auth.
> What I understood is that NTLM doesn’t support UPN format. We might want to convert the user format(to DOMAIN\user) before checking with DC which we are not doing currently. I would like to know if there is any plan to support this in future.

I think on ms architecture upn and samaccountname have different
namespace, meaning there is no conversation but if there in an @ sign
the user is looked up by upn.
There seem to be no problem with having one user with {samaccountname:
domain\a, upn: b at domain} and yet another user {samaccountname:
domain\b, upn: a at domain}.

# ldapsearch -h ms -Y GSSAPI -b "dc=frenche,dc=cp" cn=a
userprincipalname samaccountname
sAMAccountName: a
userPrincipalName: b at frenche.cp

# ldapsearch -h ms -Y GSSAPI -b "dc=frenche,dc=cp" cn=b
userprincipalname samaccountname
sAMAccountName: b
userPrincipalName: a at frenche.cp

# curl -u "FRENCHE\a:pass" --ntlm http://ms/id.aspx

# curl -u "a at frenche.cp:pass" --ntlm http://ms/id.aspx


More information about the samba-technical mailing list