[Samba] [Oddity] SAMAccountName and 20+ chars logins...

L.P.H. van Belle belle at bazuin.nl
Thu Jan 10 09:34:36 UTC 2019


 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: donderdag 10 januari 2019 9:54
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [Oddity] SAMAccountName and 20+ chars logins...
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > You can have 255 chars in total with these limitation's
> > Windows NT 4.0, Windows 95, Windows 98, and LAN Manager  : 
> 20 =  sAMAccountName
> > Windows 2000 and up : 256 chars  = 
> sAMAccountName at alias.domain.tld   ( full distinguished name ) 
> > The SAM-Account-Name attribute (also known as the 
> pre?Windows 2000 user logon name) is limited to 256 
> characters in the Active Directory schema. 
> > However, for backward compatibility the limit is 20 characters
> > So only if you have very old systems and must use lower 
> then 21 characters or you might hit problems. 
> > Newer systems can handle the 20+ chars without problem, but 
> limited to 256.
> 
> Clear, thanks!
> 
> 
> > Now on the ldapsearch, use what you want to use, just 
> choose something that is indexed if you need the speed search.
> 
> And SAMAccountName seems indexed, right?
Yes it is. 

Look up what is indexed : ldbsearch -H /var/lib/samba/private/sam.ldb  -s base -b @INDEXLIST 
Lookup BaseDN : ldbsearch -H /var/lib/samba/private/sam.ldb  -s base -b "" defaultNamingContext 
Edit :   ldbedit -H /var/lib/samba/private/sam.ldb  -b CN=SCHEMA,CN=CONFIGURATION,DC=.....baseDN. 

Lookup what you want to edit, and set : searchFlags: 1 
Tip, ldbedit -e nano -H..  Gives you the nano editor. 

And you need to run : samba-tool dbcheck --reindex on the server after the change's

> 
> 
> > But now tell use what is your goal with the ldapsearch, 
> because you can use ldapsearch just as on a normal ldap server. 
> 
> Nono, no 'goal'. Simply i'm using in my queries 'SAMAccountName' to
> lookup users, and i was a bit puzzled by the fact that this field is
> really limited to 20 chars.
> 
> But you say me what i suppose: the limit does not apply 
> 'techinically' to AD, but still for compatibility it is better to have max 20 chars ID.
Yes, keep it below 20 to prevent problems. 

> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list