[Samba] [samba] strange: 20 characters max in samAccountName

Rowland Penny rowlandpenny241155 at gmail.com
Wed Jul 1 16:56:12 UTC 2015

On 01/07/15 17:44, mathias dufresne wrote:
> Thank you both precisions : )
> My users have no "@" in their names (samAccountName nor userPrincipalName
> nor anything) except in mail attribute).

What have you got in userPrincipalName ?

>  From https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx
> which I read before initial post I understand AD can have this limitation
> of 20 chars if and only if you decide to support (so) old clients (that we
> should stop thinking about them).

No, you cannot have more than 20 characters, it is set like this to 
support old clients, you do not get a choice.

> In first table the limit of 20 chars is there.
> In others tables this limit seems to me pushed up to 256 characters
> (range-upper line).

range-upper != size

> Now I can read this table in the wrong way (that won't be the first time
> :), but I thought this limit was removed with AD without the option to
> support old clients...

No it wasn't


> 2015-07-01 17:30 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>> Hello Mathias,
>> as Rowland already said, it's an AD limitation.
>> Am 01.07.2015 um 16:44 schrieb mathias dufresne:
>>> I can log in using administrator account or any other having a short
>>> (enough) samAccountName.
>>> I tried to add @ad.domain.tld to samAccountName during log in process
>>> without any success.
>> Even if the @ character is allowed, your sAMAccountName attributes
>> should't contain it! You will run into problems some day with it. It's
>> the same with spaces, umlauts, etc.
>> If you see someone login with user at samdom.example.com, then this usually
>> isn't the sAMAccountName attribute. It's the value from the
>> userPrincipalName attribute.
>> http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-76-18/3568.HSG_2D00_8_2D00_13_2D00_13_2D00_01.png
>> If the account doesn't have a userPrincipalName attribute set, then you
>> can only use the value from sAMAccountName for login.
>> Regards,
>> Marc

More information about the samba mailing list