Does Samba support UPN authentication using NTLM?
Uri Simchoni
uri at samba.org
Thu Sep 1 06:20:07 UTC 2016
On 09/01/2016 06:42 AM, Hemanth Thummala wrote:
>
> On 8/31/16, 2:33 PM, "Isaac Boukris" <iboukris at gmail.com> wrote:
>>
>> I think on ms architecture upn and samaccountname have different
>> namespace, meaning there is no conversation but if there in an @ sign
>> the user is looked up by upn.
>> There seem to be no problem with having one user with {samaccountname:
>> domain\a, upn: b at domain} and yet another user {samaccountname:
>> domain\b, upn: a at domain}.
>
> True. In those cases, it will be impossible to construct the SamAccount name format unless we query the user attributes using LDAP. This(Where SamAccount name different from UPN) works fine against windows. But I couldn't check the account name format used in NetrSamLogon request as it was encrypted. Will be interesting to know how windows deals this conversion.
>
> Thanks,
> Hemanth.
>
Just my 2c...
With Kerberos authentication, UPNs are handled as "enterprise names"
(RFC 6806), so you just ask for a TGT of b at domain, marking b at domain as
an enterprise principal name and asking the DC to cannonicalize it. In
the PAC of the reply you can see that it's domain\a.
I'm not sure this (by-the-book Kerberos UPN auth) is supported by Samba.
So I also wonder how Windows does it using NTLM, given that the Kerberos
solution is Kerberos-specific. [MS-NLMP] doesn't seem to address it.
Uri.
More information about the samba-technical
mailing list