Does Samba support UPN authentication using NTLM?

Isaac Boukris iboukris at
Wed Oct 5 19:48:17 UTC 2016

Hi Uri,

On Thu, Sep 1, 2016 at 9:20 AM, Uri Simchoni <uri at> wrote:
> Just my 2c...
> With Kerberos authentication, UPNs are handled as "enterprise names"
> (RFC 6806), so you just ask for a TGT of b at domain, marking b at domain as
> an enterprise principal name and asking the DC to cannonicalize it. In
> the PAC of the reply you can see that it's domain\a.

Thanks for the information about enterprise names in Kerberos.
Note however, that this lead me to section " Client Principal
Lookup" in MS-KILE document.
In short, it looks like AD would try several combinations in order to
find a match.

More information about the samba-technical mailing list