[Samba] [Oddity] SAMAccountName and 20+ chars logins...
L.P.H. van Belle
belle at bazuin.nl
Thu Jan 10 09:34:36 UTC 2019
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Marco Gaiarin via samba
> Verzonden: donderdag 10 januari 2019 9:54
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] [Oddity] SAMAccountName and 20+ chars logins...
> Mandi! L.P.H. van Belle via samba
> In chel di` si favelave...
> > You can have 255 chars in total with these limitation's
> > Windows NT 4.0, Windows 95, Windows 98, and LAN Manager :
> 20 = sAMAccountName
> > Windows 2000 and up : 256 chars =
> sAMAccountName at alias.domain.tld ( full distinguished name )
> > The SAM-Account-Name attribute (also known as the
> pre?Windows 2000 user logon name) is limited to 256
> characters in the Active Directory schema.
> > However, for backward compatibility the limit is 20 characters
> > So only if you have very old systems and must use lower
> then 21 characters or you might hit problems.
> > Newer systems can handle the 20+ chars without problem, but
> limited to 256.
> Clear, thanks!
> > Now on the ldapsearch, use what you want to use, just
> choose something that is indexed if you need the speed search.
> And SAMAccountName seems indexed, right?
Yes it is.
Look up what is indexed : ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b @INDEXLIST
Lookup BaseDN : ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b "" defaultNamingContext
Edit : ldbedit -H /var/lib/samba/private/sam.ldb -b CN=SCHEMA,CN=CONFIGURATION,DC=.....baseDN.
Lookup what you want to edit, and set : searchFlags: 1
Tip, ldbedit -e nano -H.. Gives you the nano editor.
And you need to run : samba-tool dbcheck --reindex on the server after the change's
> > But now tell use what is your goal with the ldapsearch,
> because you can use ldapsearch just as on a normal ldap server.
> Nono, no 'goal'. Simply i'm using in my queries 'SAMAccountName' to
> lookup users, and i was a bit puzzled by the fact that this field is
> really limited to 20 chars.
> But you say me what i suppose: the limit does not apply
> 'techinically' to AD, but still for compatibility it is better to have max 20 chars ID.
Yes, keep it below 20 to prevent problems.
> dott. Marco Gaiarin GNUPG
> Key ID: 240A3D66
> Associazione ``La Nostra Famiglia''
> Polo FVG - Via della Bontà, 7 - 33078 - San Vito al
> Tagliamento (PN)
> marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711
> f +39-0434-842797
> Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba