[Samba] Does Samba 4 support UPN for AD authentication

Tushar Dalvi tushar.dalvi.samba at gmail.com
Fri Oct 25 15:13:07 MDT 2013

> Yes, we do (at least in theory).  If you have issues, please let us know
> and help us write up some tests for our selftest system.

> Andrew Bartlett

Hi Andrew,

One difference I have noticed is in the returned Principal Type.
While samba is able to authenticate with eUPN using NT-Enterprise principal
name type, the returned principal type is NT-Principal.
Later when we try to use this TGT, samba refuses saying Client not found.

Eg: Consider a user like:
samAccountName: john
userPrincipalName: johnny5 at mail.com

This works:
> kinit -E johnny5 at mail.com

But the returned TGT contains
NT-Principal: johnny5
Obviously, when we later try to use this ticket it is unable to find a user
called "johnny5"

I think the canonicalization of the principal name has a problem in samba4.
The same operation when tried against an AD, returns a TGT containing:
NT-Enterprise: johnny5\@mail.com
So this TGT is reusable later.

Net effect is I was unable to do a windows logon with
johnny5 at mail.comagainst Samba but was able to do it against AD.

Kerberos is very complicated. Let me know if I am making any wrong


More information about the samba mailing list