[Samba] Can I authenticate with windows UPN names using winbind? If so how?

Linda W samba at tlinx.org
Wed May 21 17:57:21 MDT 2014 

john wrote:
> Hi all,
>
> I am trying to set up an linux server that allows users to log in via their
> windows UPN names rather than their SamID's.
>
>
> I've bound both linux boxen to our Active Directory Server running 2008R2
> and can return domain usernames with the tools wbinfo and getent.
>
> Wbinfo -n shows me the user's sid is mapped the same whether I  use the
> samID or UPN
I think it would be easier to use the 'Domain\User' format Would it work 
to use the 'domain\user' format?  You are more likely to get that to
work than using '@', as '@' has special meanings to many utils...
I.e. Since user at hostname with many utils,  = "using user 'user', do 
something on hostname.  I.e. the '@' can't be part of a username as it 
implies the "object"
host that the command acts upon.

How would "email", know joe at tomcat.com isn't meant to be addressed to "joe"
@ tomcat.com? 
---
Local examples (not the best examples, because when I log into the 
'server',
it's the PDC, so treats my domain account as a local account.

lw.Bliss> uname -a
CYGWIN_NT-6.1 Athenae 1.7.29(0.272/5/3) 2014-04-07 13:46 x86_64 Cygwin
lw.Bliss> id
uid=5013(Bliss\lw) gid=201(lwgroup) 
groups=201(lwgroup),544(Administrators),545(Users),512(Bliss\Domain 
Admins),513(Bliss\Domain Users) [...]
lw.Bliss> ssh 'Bliss\lw at ishtar'
Ishtar:lw> id
uid=5013(lw) gid=201(lwgroup) 
groups=201(lwgroup),10(wheel),18(SYSTEM),42(trusted),512(Domain 
Admins),513(Domain Users),544(Administrators) [...]
--------
In log:
May 21 16:36:52 Ishtar sshd[13042]: pam_winbind(sshd:account): user 
'Bliss\lw'
granted access
May 21 16:36:52 Ishtar sshd[13042]: Accepted publickey for Bliss\\lw 
from 192.168.4.12 port 59451 ssh2
----

I have both 'lw' & Bliss\lw in /etc/passwd.  I also have a full upcase 
version
in /etc/passwd since samba doesn't respect case in 3.6.x (it did ignored
case in 3.4 (preserving it)), but Samba broke windows compat by no longer
respecting (but ignoring) case.

My /etc/pw+grp files are "coordinated" so as to reserve unique ID's 
between them.

I also use backend=nss and do not have separate ranges for the local PDC
accounts and Domain accounts.

You might want to make sure that your /etc/login.defs file (linux)
allows spaces and backslash in the "CHARACTER CLASS", like:
CHARACTER_CLASS        <readability break>
[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_] <readability break>
[-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 
<readability break>
_.\\/\ 
]*[-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$]\?


Please forgive me if this is really, not what you
want, and you really want the '@' separator.

Cheers!

More information about the samba mailing list