[Samba] Can I authenticate with windows UPN names using winbind? If so how?

john lists.john at gmail.com
Sat May 17 17:03:30 MDT 2014

Hi all,

I am trying to set up an linux server that allows users to log in via their
windows UPN names rather than their SamID's.

I have set up two test boxes:

debian linux 7 running Winbind Version 3.6.6
Ubuntu Linux 14.04 running Winbind version 4.1.6-Ubuntu.
smb.conf is at bottom of this post.

I've bound both linux boxen to our Active Directory Server running 2008R2
and can return domain usernames with the tools wbinfo and getent.

Wbinfo -n shows me the user's sid is mapped the same whether I  use the
samID or UPN

# wbinfo -n testuser
S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)

# wbinfo -n testuser at example.org
S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)

I can log domain users onto my test linux  servers  using the samID. So a
user with a domain account can log on to the
ssh server with:

ssh testuser at xxx.xxx.xxx.xxx

but test users can't authenticate with the UPN formated names:

ssh testuser at example.org@xxx.xxx.xxx.xxx
testuser\@example.org at xxx.xxx.xxx.xxx
testuser\@EXAMPLE.org at xxx.xxx.xxx.xxx

Can windows UPN logins work with Linux and Winbind?

Is there a better way to do this than winbind? E.G. via OpenLDAP, or SSSD?
I'd prefer to use winbind if possible since it currently works for us in
other contexts.

http://wiki.samba.org/index.php/Samba doesn't mention the UPN question at
all and looking back over postings on this list, I see plenty of questions,
but no answer saying "yes, do it like this, and here are the steps"

Thanks for your help!


Here's a copy of the smb.conf file I am using

  netbios name = LTSP
  workgroup = LTSP
  realm = EXAMPLE.ORG
  server string = %h LTSP
  security = ads
  encrypt passwords = yes

  idmap config * : backend = tdb
  idmap config * : range = 10000-200000

  winbind use default domain = Yes
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind nested groups = Yes
  #winbind separator = +
  winbind refresh tickets = yes

  template shell = /bin/bash
  template homedir = /home/%D/%U

  preferred master = no
  dns proxy = no
  wins server =
  wins proxy = no

  inherit acls = Yes
  map acl inherit = Yes
  acl group control = yes

  load printers = no
  debug level = 3
  use sendfile = no

More information about the samba mailing list