[Samba] Can I authenticate with windows UPN names using winbind? If so how?

Andrew Bartlett abartlet at samba.org
Thu May 22 22:53:44 MDT 2014 

On Sat, 2014-05-17 at 16:03 -0700, john wrote:
> Hi all,
> 
> I am trying to set up an linux server that allows users to log in via their
> windows UPN names rather than their SamID's.
> 
> I have set up two test boxes:
> 
> debian linux 7 running Winbind Version 3.6.6
> Ubuntu Linux 14.04 running Winbind version 4.1.6-Ubuntu.
> smb.conf is at bottom of this post.
> 
> I've bound both linux boxen to our Active Directory Server running 2008R2
> and can return domain usernames with the tools wbinfo and getent.
> 
> Wbinfo -n shows me the user's sid is mapped the same whether I  use the
> samID or UPN
> 
> # wbinfo -n testuser
> S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)
> 
> # wbinfo -n testuser at example.org
> S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)
> 
> I can log domain users onto my test linux  servers  using the samID. So a
> user with a domain account can log on to the
> ssh server with:
> 
> ssh testuser at xxx.xxx.xxx.xxx
> 
> but test users can't authenticate with the UPN formated names:
> 
> ssh testuser at example.org@xxx.xxx.xxx.xxx
> nor
> testuser\@example.org at xxx.xxx.xxx.xxx
> nor
> testuser\@EXAMPLE.org at xxx.xxx.xxx.xxx
> 
> 
> Can windows UPN logins work with Linux and Winbind?
> 
> Is there a better way to do this than winbind? E.G. via OpenLDAP, or SSSD?
> I'd prefer to use winbind if possible since it currently works for us in
> other contexts.
> 
> http://wiki.samba.org/index.php/Samba doesn't mention the UPN question at
> all and looking back over postings on this list, I see plenty of questions,
> but no answer saying "yes, do it like this, and here are the steps"

It would require code changes.  I've been looking over the
authentication code paths, and even when connecting over SMB with NTLM,
I suspect a lot of this isn't working.  We split the user into domain
\user pretty early, and expect that the domain part means something.

Other parts of winbindd would also need to move away from a 'split the
username' pattern to a 'resolve the username' mode.  In theory, we
should be able to punt most of this trouble to our DC, but it would be a
a development task in my view.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list