[Samba] UPN as username instead of SAMAccountname

James Dingwall james-samba at dingwall.me.uk
Wed Feb 22 14:48:08 UTC 2023


> Date: Wed, 22 Feb 2023 10:38:27 +0100 (CET)
> From: Leon Benthaus <leon.benthaus at mailbox.org>
> To: samba at lists.samba.org
> Subject: Re: [Samba] UPN as username instead of SAMAccountname
> 
> Thank you Rowland. At least I have a definite answer now. :)
> 
> I will see if my colleagues are fine with this.
> 
> Best, Leon
> 
> > Rowland Penny via samba <samba at lists.samba.org> hat am 22.02.2023 10:27 CET geschrieben:
> > 
> >  
> > On 22/02/2023 08:45, Leon Benthaus via samba wrote:
> > > Dear all,
> > >   
> > > since I didn't get an answer I would carefully ask again. Maybe this is just a quick yes or no question:
> > >   
> > > Is there any known way to get winbind to accept UPNs as username instead of the samaccountname? All the threads I found online regarding this are really old.
> > >   
> > > Best,
> > > Leon
> > 
> > 
> > NO
> > 
> > Well, you wanted a quick answer ;-)
> > 
> > Long answer: Whilst you can change the UPN to anything that looks like 
> > an email (so you could use it as an email address), you cannot use it to 
> > log in.
> > 
> > Rowland

I have this working on an Ubuntu system by adding krb5 to the pam auth stack:

auth    [success=4 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=3 default=ignore]      pam_unix.so nullok try_first_pass
auth    [success=2 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so

With this all these variations work:

ssh user at host
ssh user at ad.realm@host
ssh DOMAIN\\user at host

nsswitch.conf:

passwd: files ldap winbind systemd
group: files ldap winbind systemd

ldap is provided by nslcd configured against AD.  `getent passwd` does return
two entries per account so a bit of care with nscd is needed if that is active.

$ getent passwd | grep user
user:*:1000:1000:My Name:/home/user:/bin/bash
DOMAIN\user:*:1000:1000:My Name:/home/user:/bin/bash

James



More information about the samba mailing list