Does Samba support UPN authentication using NTLM?
Isaac Boukris
iboukris at gmail.com
Wed Aug 31 21:33:49 UTC 2016
Hi,
On Wed, Aug 31, 2016 at 2:34 AM, Hemanth Thummala
<hemanth.thummala at nutanix.com> wrote:
> Hi,
>
> We are using samba 4.3.11 stack as a member server. We could see that authentication for UPN(user at domain) formats failing with STATUS NO SUCH USER. Looking at the code, we are not actually converting the UPN to DOMAIN\USER format before contacting the DC. Whereas UPN access works fine with Kerberos auth.
>
> What I understood is that NTLM doesn’t support UPN format. We might want to convert the user format(to DOMAIN\user) before checking with DC which we are not doing currently. I would like to know if there is any plan to support this in future.
I think on ms architecture upn and samaccountname have different
namespace, meaning there is no conversation but if there in an @ sign
the user is looked up by upn.
There seem to be no problem with having one user with {samaccountname:
domain\a, upn: b at domain} and yet another user {samaccountname:
domain\b, upn: a at domain}.
Example:
# ldapsearch -h ms -Y GSSAPI -b "dc=frenche,dc=cp" cn=a
userprincipalname samaccountname
sAMAccountName: a
userPrincipalName: b at frenche.cp
# ldapsearch -h ms -Y GSSAPI -b "dc=frenche,dc=cp" cn=b
userprincipalname samaccountname
sAMAccountName: b
userPrincipalName: a at frenche.cp
# curl -u "FRENCHE\a:pass" --ntlm http://ms/id.aspx
FRENCHE\a
# curl -u "a at frenche.cp:pass" --ntlm http://ms/id.aspx
FRENCHE\b
Regards.
More information about the samba-technical
mailing list