[Samba] Joining a DC, was (no subject)

Rowland Penny rpenny at samba.org
Sun Mar 3 09:39:20 UTC 2019

On Sat, 2 Mar 2019 17:06:05 -0500
Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:

> Thanks for the input, Rowland! Replies inline:
> On Fri, Mar 1, 2019 at 8:57 AM Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> [snip]
> > The 'Nooooo, don't do that is:
> > Don't change the UPN
> Why not? It's a recommended best practice to choose a subdomain of
> your primary domain (e.g. "ad.example.com"), and then add alternate
> UPN suffix which allows user logons to match their email addresses.
> In fact, this page on the Samba Wiki recommends just that:
> https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#My_User_Logins_Does_Not_Match_My_Email

It wont for long ;-)
The UPN is single valued, you can only have one.
It is the logon name for the user and is composed of the users account
name, the '@' sign and a dns domain name. This dns domain must be a
domain in the current domain forest, which means (on a Samba DC, at
least) the same thing.
If you need an email attribute that doesn't match the UPN, use on of the
email attributes that AD provides.

> > Oh and just in passing, you probably do not have a forwarder set in
> > smb.conf
> This was somehat intentional. My machines are given a different DNS
> server via DHCP (both on pfSense). I've delegated the AD zone to the
> Samba DC. So, the AD DNS server should only receive requests for
> which he is authoritative. Is this a valid assumption?

I would have done it the other way around, your clients ask the DC's
for everything and if it is outside the AD domain, they ask your


More information about the samba mailing list