[Samba] ntlm_auth, universal principal name, multi-domain active directory - can samba authenticate?

Adam samba at tarac.net
Fri Oct 9 08:16:57 MDT 2009

I posted a similar message on the freeradius list a few months ago and it
was suggested I come here.  Now that this effort is once again underway I am
looking for some assistance.
We are trying to replace our existing AAA solution with FreeRadius.  The
user base is contained in an Active Directory single forest-multi domain
The only feature of samba that we need to leverage is the ntlm_auth.
All users login via their UPN (user at company.net) regardless of which child
domain they are in.
Can samba (specifically ntlm_auth) be configured to authenticate users
against an AD Forest (multi-domain) using universal principal name (UPN) and
if so...how?
Everything "appears" configured correctly.  In fact authentication using the
"exec ntlm_auth" configuration works if the username and domain are
specified for each of the child domains.  Once we tried to use the UPN
(without domain name) it does not.  
Currently the samba server is a member of one of the child domains. The
REALM in smb.conf is set to this child domain (DEPT1.COMPANY.NET)
Going back to the command line for ntlm_auth tests resulted in the
Using a user account found in DEPT1.COMPANY.NET child domain
  ntlm_auth --username=user1                  WORKS
  ntlm_auth --username=user1 --domain=DEPT1   WORKS
  ntlm_auth --username=user1 at company.net      DOES NOT WORK
Using a user account found in DEPT2.COMPANY.NET child domain
  ntlm_auth --username=user2                  DOES NOT WORK
  ntlm_auth --username=user2 --domain=DEPT2   WORKS
  ntlm_auth --username=user2 at company.net      DOES NOT WORK
The error received is
NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
Hopefully this is enough information, if not please let me know.




More information about the samba mailing list