[Samba] Authenticate using AD UPN name

mathias dufresne infractory at gmail.com
Wed Feb 10 14:48:41 UTC 2016 

I think it is not yet possible because Winbind (when retrieving user from
AD) is not yet meant to be configured to much, it is meant to produce
Windows equivalent users for these users, on Linux side, use the
information as on Windows clients side. This because when accessing a Samba
share from a Windows client with a Samba AD account, on file server side
the user must have same information as in windows (for file ownership).

Following same idea Winbind is (or was) not meant to use uidNumber /
gidNumber for user on linux side as these information are related to the
Linux/UNIX part of users.

In other words: in windows the default group of a user into an AD domain is
"domain users". In gidNumber you could use anything that suit your needs.
When a AD user connected on Windows client creates some file on Samba file
server, the group of newly created file should be "Domain users" and not
the content of gidNumber which is Linux/UNIX main group.

Anyway, I'm not winbind specialist and I could have missed something.
Someone would correct me in that case ;)

Cheers,

mathias


2016-02-10 15:36 GMT+01:00 Björn Ramberg <bjoern.ramberg at gmail.com>:

> Hi,
>
> Thanks for answering.
>
> Yes, the linux machines are joined to the domain through samba and are
> using the AD accounts on their linux clients to logon and authenticate
> through winbind.
> Using the AD accounts samid to logon is just fine, the question is if its
> possible to use the UPN instead of the samid to login.
>
> Kind regards,
>
> Björn
>
>
> On Wed, Feb 10, 2016 at 2:33 PM mathias dufresne <infractory at gmail.com>
> wrote:
>
>> Hi,
>>
>> By "logging in/authenticating with UPN through winbind" you are speaking
>> about using UPN on Linux or UNIX clients when these clients are generating
>> local users from AD using winbind?
>>
>> Kindly regards,
>>
>> mathias
>>
>> 2016-02-09 20:20 GMT+01:00 Björn Ramberg <bjoern.ramberg at gmail.com>:
>>
>>> Hey,
>>>
>>> I am running Ubuntu Trusty 14.04.3 with samba and winbind version
>>> 4.1.6-Ubuntu. Its run in a windows domain env which is running an AD on
>>> 2008 R2 servers.
>>> I can login just fine with using the AD accounts sam name. However, the
>>> question is now if all machines on the domain can use the AD UPN to login
>>> instead of the sam. I have looked around a bit and found a few old posts
>>> about this.
>>>
>>> This post which is not that old to be fair:
>>> https://lists.samba.org/archive/samba/2014-May/181561.html is pointing
>>> out
>>> that very early in the authentication the domain\user is spilt up by
>>> winbind and the UPN wouldn’t perhaps get mapped correctly.The post ends
>>> up
>>> mentioning that it would be a development task. I have been looking
>>> around
>>> in the change logs for later versions of samba, but couldn’t find
>>> anything
>>> relating to UPN name.
>>>
>>> So the more general question, is there anyone who has got this working
>>> under any circumstances, logging in/authenticating with UPN through
>>> winbind? Is it possible?
>>>
>>> @Samba devs: Thanks for your tireless and awesome work with samba and
>>> winbind.
>>>
>>> Kind regards,
>>>
>>> Björn
>>>
>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>

More information about the samba mailing list