[Samba] Does Samba 4 support UPN for AD authentication
Tushar Dalvi
tushar.dalvi.samba at gmail.com
Fri Oct 25 15:13:07 MDT 2013
> Yes, we do (at least in theory). If you have issues, please let us know
> and help us write up some tests for our selftest system.
> Andrew Bartlett
Hi Andrew,
One difference I have noticed is in the returned Principal Type.
While samba is able to authenticate with eUPN using NT-Enterprise principal
name type, the returned principal type is NT-Principal.
Later when we try to use this TGT, samba refuses saying Client not found.
Eg: Consider a user like:
samAccountName: john
userPrincipalName: johnny5 at mail.com
This works:
> kinit -E johnny5 at mail.com
But the returned TGT contains
NT-Principal: johnny5
Obviously, when we later try to use this ticket it is unable to find a user
called "johnny5"
I think the canonicalization of the principal name has a problem in samba4.
The same operation when tried against an AD, returns a TGT containing:
NT-Enterprise: johnny5\@mail.com
So this TGT is reusable later.
Net effect is I was unable to do a windows logon with
johnny5 at mail.comagainst Samba but was able to do it against AD.
Kerberos is very complicated. Let me know if I am making any wrong
assumptions.
Thanks!
More information about the samba
mailing list