[Samba] UPN as username instead of SAMAccountname
James Dingwall
james-samba at dingwall.me.uk
Wed Feb 22 14:48:08 UTC 2023
> Date: Wed, 22 Feb 2023 10:38:27 +0100 (CET)
> From: Leon Benthaus <leon.benthaus at mailbox.org>
> To: samba at lists.samba.org
> Subject: Re: [Samba] UPN as username instead of SAMAccountname
>
> Thank you Rowland. At least I have a definite answer now. :)
>
> I will see if my colleagues are fine with this.
>
> Best, Leon
>
> > Rowland Penny via samba <samba at lists.samba.org> hat am 22.02.2023 10:27 CET geschrieben:
> >
> >
> > On 22/02/2023 08:45, Leon Benthaus via samba wrote:
> > > Dear all,
> > >
> > > since I didn't get an answer I would carefully ask again. Maybe this is just a quick yes or no question:
> > >
> > > Is there any known way to get winbind to accept UPNs as username instead of the samaccountname? All the threads I found online regarding this are really old.
> > >
> > > Best,
> > > Leon
> >
> >
> > NO
> >
> > Well, you wanted a quick answer ;-)
> >
> > Long answer: Whilst you can change the UPN to anything that looks like
> > an email (so you could use it as an email address), you cannot use it to
> > log in.
> >
> > Rowland
I have this working on an Ubuntu system by adding krb5 to the pam auth stack:
auth [success=4 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=3 default=ignore] pam_unix.so nullok try_first_pass
auth [success=2 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
With this all these variations work:
ssh user at host
ssh user at ad.realm@host
ssh DOMAIN\\user at host
nsswitch.conf:
passwd: files ldap winbind systemd
group: files ldap winbind systemd
ldap is provided by nslcd configured against AD. `getent passwd` does return
two entries per account so a bit of care with nscd is needed if that is active.
$ getent passwd | grep user
user:*:1000:1000:My Name:/home/user:/bin/bash
DOMAIN\user:*:1000:1000:My Name:/home/user:/bin/bash
James
More information about the samba
mailing list