[Samba] Joining a DC, was (no subject)

Billy Bob billysbobs at yahoo.com
Sun Mar 3 13:14:35 UTC 2019

> > > > The 'Nooooo, don't do that is:
> > > > Don't change the UPN
> > > 
> > > Why not? It's a recommended best practice to choose a subdomain of
> > > your primary domain (e.g. "ad.example.com"), and then add alternate
> > > UPN suffix which allows user logons to match their email addresses.
> > > 
> > > In fact, this page on the Samba Wiki recommends just that:
> > > https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#My_User_Logins_Does_Not_Match_My_Email
> > 
> > It wont for long ;-)
> > The UPN is single valued, you can only have one.
> > It is the logon name for the user and is composed of the users account
> > name, the '@' sign and a dns domain name. This dns domain must be a
> > domain in the current domain forest, which means (on a Samba DC, at
> > least) the same thing.
> > If you need an email attribute that doesn't match the UPN, use on of the
> > email attributes that AD provides.

> Are you sure about making this change to the documentation. The attribute being added is the not single-valued UPN-Suffixes (uPNSuffixes) rather than the single-valued User-Principal-Name (userPrincipalName), despite this thread repeatedly saying "change" the UPN.

... actually, am okay with change to documentation, but not with characterization of what OP is doing.
In the blog post he was only setting a upnSuffix, and not trying to change the UPN, and people screamed "Don't change the UPN," seemingly confusing the issue.
Isn't he right to ask, "why not?"
Are people trying to say that the upnSuffix attribute doesn't work in SAMBA like Microsoft says it should in a Windows AD DC?
The suffix should allow a logon of "user at domain.com" even if the AD domain is "abc.domain.com" and the UPN is therefore "user at abc.domain.com"

More information about the samba mailing list