[Samba] [samba] strange: 20 characters max in samAccountName

Thu Jul 9 13:48:28 UTC 2015

Hi all,

Back from vacation...

Some precisions:

To use login name longer than 20 chars (which do not work with client
"pre-Windows2000") we have to use "userPrincipalName" attribute which can
contain long names but must be suffixed by "@samba.domain.tld" when user is
typing his login. A GPO should be existing to avoid this need of typing
domain suffix.

"samAccountName" is a string field and can contain strings as long as 256
characters maximum.

"samAccountName" MUST NOT contain strings longer than 20 characters (even
if technically this is possible) because this breaks Windows clients login
process (Windows client error message is: "The data area passed to a system
call is too small").

Cheers,

mathias

2015-07-02 10:43 GMT+02:00 mathias dufresne <infractory at gmail.com>:

> Thank you again Rowland for precision : )
>
> In userPrincipalName there is a "@". It is forged with cn at ad.domain.tld
> and cn is forged with firstname.sn, as samAccountName, which often is
> longer than 20 chars.
>
> I'll change that...
>
> Thank you again all, have a nice day!
>
> mathias
>
> 2015-07-01 18:56 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>
>> On 01/07/15 17:44, mathias dufresne wrote:
>>
>>> Thank you both precisions : )
>>>
>>> My users have no "@" in their names (samAccountName nor userPrincipalName
>>> nor anything) except in mail attribute).
>>>
>>
>> What have you got in userPrincipalName ?
>>
>>
>>>  From
>>> https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx
>>> which I read before initial post I understand AD can have this limitation
>>> of 20 chars if and only if you decide to support (so) old clients (that
>>> we
>>> should stop thinking about them).
>>>
>>
>> No, you cannot have more than 20 characters, it is set like this to
>> support old clients, you do not get a choice.
>>
>>  In first table the limit of 20 chars is there.
>>> In others tables this limit seems to me pushed up to 256 characters
>>> (range-upper line).
>>>
>>
>> range-upper != size
>>
>>
>>> Now I can read this table in the wrong way (that won't be the first time
>>> :), but I thought this limit was removed with AD without the option to
>>> support old clients...
>>>
>>
>> No it wasn't
>>
>> Rowland
>>
>>
>>> 2015-07-01 17:30 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>>>
>>>  Hello Mathias,
>>>>
>>>> as Rowland already said, it's an AD limitation.
>>>>
>>>>
>>>> Am 01.07.2015 um 16:44 schrieb mathias dufresne:
>>>>
>>>>> I can log in using administrator account or any other having a short
>>>>> (enough) samAccountName.
>>>>> I tried to add @ad.domain.tld to samAccountName during log in process
>>>>> without any success.
>>>>>
>>>> Even if the @ character is allowed, your sAMAccountName attributes
>>>> should't contain it! You will run into problems some day with it. It's
>>>> the same with spaces, umlauts, etc.
>>>>
>>>> If you see someone login with user at samdom.example.com, then this
>>>> usually
>>>> isn't the sAMAccountName attribute. It's the value from the
>>>> userPrincipalName attribute.
>>>>
>>>>
>>>> http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-76-18/3568.HSG_2D00_8_2D00_13_2D00_13_2D00_01.png
>>>>
>>>> If the account doesn't have a userPrincipalName attribute set, then you
>>>> can only use the value from sAMAccountName for login.
>>>>
>>>>
>>>> Regards,
>>>> Marc
>>>>
>>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>