[Samba] Access to s3 shares when userPrincipalName differs from the sAMAccountName

Angelos Oikonomopoulos angelos.oikonomopoulos at fp-commerce.de
Thu Feb 3 02:39:21 MST 2011

Hello all,

I've been trying to use a Samba3 fileserver with security = ADS in a 
domain where the DC is Samba4. It all seems to work, except for users 
with long names.

What happens is that users can log in to the domain with their 
userPrincipalName as well as the sAMAccountName. Unfortunately, if the 
username is longer than 20 characters (which, because of our username = 
first_name.last_name policy, is the case for a few users), then the 
userPrincipalName and the sAMAccountName differ. So when users that have 
logged in using their userPrincipalName try to access a share on the 
Samba3 server, they try to authenticate using the userPrincipalName, 
which winbind doesn't know about, and fail.

This looks to be a problem that a lot of people should have run into 
over the past few years, but I haven't been able to find any clues by 
searching the mailing list archives.

Is there a workaround I could use? At the moment my options seem to be:

1) Ask users with long names to only log in using the sAMAccountName. 
This is very suboptimal of course.
2) Change these users' userPrincipalName to be the same as the 
sAMAccountName so that they will /have/ to use the sAMAccountName to log 
in. Doable but ugly and it will complicate our email setup too.
3) Find a magic GPO configuration option that will force windows clients 
to always use the sAMAccountName to authenticate when accessing a 
network share. After a few hours searching on the web and manually going 
through each option in the GPO editor, there doesn't appear to be such a 
4) Hack winbindd to do an ldap search to convert the userPrincipalName 
to the sAMAccountName when it is obvious we're dealing with the former 
(i.e. when it's larger than 20 characters).
5) Hack winbindd to trim the username so that the userPrincipalName will 
be converted to the sAMAccountName. I can't even imagine the ways this 
could break and it would be a huge burden to maintain such hacks in the 
long term.

Any insight on this? I'm sure there's a better option!


More information about the samba mailing list