[Samba] Joining a DC, was (no subject)

Jonathon Reinhart jonathon.reinhart at gmail.com
Sun Mar 3 19:34:55 UTC 2019


I *think* we're all on the same page now. My suggestion was adding an
additional entry to the UPN Suffixes list, and using that suffix
(without "ad.") when creating new users.

This Microsoft doc [1] says:

> By convention, this should map to the user's email name. The point of
> the UPN is to consolidate the email and logon namespaces so that the
> user only needs to remember a single name.

If this doesn't work in Samba, that would be a major blow to my plans.

On Sun, Mar 3, 2019 at 9:11 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
[snip]
> OK, I will hold my hand up, I misread his blog :-(
> To be honest I just skimmed it and missed that he was adding a UPN
> suffix and not changing the UPN.

I'm not sure what is meant by the phrase "change the UPN". In
particular, the use of the word "the" implies that there is only a
single UPN to be changed. That doesn't make sense; the UPN is an
attribute of the User class, so every user has a UPN which could be
changed (but never should).

> I think he needs to make it a bit more obvious ;-)

I'll assume you're being sarcastic :-)  I was very careful when writing
that to always say "UPN Suffix" and never just "UPN".

> >Isn't he right to ask, "why not?"
>
> Yes.
>
> > Are people trying to say that the upnSuffix attribute doesn't work in
> > SAMBA like Microsoft says it should in a Windows AD DC?
>
> I do not know, I have never tried them, but this could be one of those
> things (from a Samba point of view) where the code doesn't exist for it
> to work on a Samba DC, they should work on Windows machines.
>
> >The suffix should allow a logon of "user at domain.com" even if the AD
> >domain is "abc.domain.com" and the UPN is therefore "user at abc.domain.com"
>
> Well yes, but possibly only on Windows machines.

I've tested this with a Windows 7 client machine, and it worked as
expected. How can we test this for non-Windows machines? Where can I
enter "user at example.com" for a domain named "ad.example.com" and confirm
that things work as expected? In other words, how would one go about
discovering a potential Samba deficiency (compared to Windows) in this
regard?

I see one reference to uPNSuffixes in source4 [2], and it appears that
the 'net' command even appears to support provide an --add-upn-suffix
option [3].

[1] https://docs.microsoft.com/en-us/windows/desktop/AD/naming-properties
[2] https://gitlab.com/samba-team/samba/blob/d1c2fe8907/source4/dsdb/common/util_trusts.c#L925
[3] https://gitlab.com/samba-team/samba/blob/d1c2fe8907/python/samba/netcmd/domain.py#L3162



More information about the samba mailing list