[Samba] UPN as username instead of SAMAccountname

Wed Feb 22 15:22:17 UTC 2023

On 22/02/2023 14:48, James Dingwall via samba wrote:
>> Date: Wed, 22 Feb 2023 10:38:27 +0100 (CET)
>> From: Leon Benthaus <leon.benthaus at mailbox.org>
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] UPN as username instead of SAMAccountname
>>
>> Thank you Rowland. At least I have a definite answer now. :)
>>
>> I will see if my colleagues are fine with this.
>>
>> Best, Leon
>>
>>> Rowland Penny via samba <samba at lists.samba.org> hat am 22.02.2023 10:27 CET geschrieben:
>>>
>>>   
>>> On 22/02/2023 08:45, Leon Benthaus via samba wrote:
>>>> Dear all,
>>>>    
>>>> since I didn't get an answer I would carefully ask again. Maybe this is just a quick yes or no question:
>>>>    
>>>> Is there any known way to get winbind to accept UPNs as username instead of the samaccountname? All the threads I found online regarding this are really old.
>>>>    
>>>> Best,
>>>> Leon
>>>
>>>
>>> NO
>>>
>>> Well, you wanted a quick answer ;-)
>>>
>>> Long answer: Whilst you can change the UPN to anything that looks like
>>> an email (so you could use it as an email address), you cannot use it to
>>> log in.
>>>
>>> Rowland
> 
> I have this working on an Ubuntu system by adding krb5 to the pam auth stack:
> 
> auth    [success=4 default=ignore]      pam_krb5.so minimum_uid=1000
> auth    [success=3 default=ignore]      pam_unix.so nullok try_first_pass
> auth    [success=2 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
> auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 use_first_pass
> # here's the fallback if no module succeeds
> auth    requisite                       pam_deny.so
> 
> With this all these variations work:
> 
> ssh user at host
> ssh user at ad.realm@host
> ssh DOMAIN\\user at host

That works for myself, what doesn't appear to work (not for me) is if 
the AD domain is samdom.example.com and you change a users UPN to 
'user at example.com'.
For example, if you have a user called 'test' with the UPN of 
test at samdom.example.com and you change it to test at example.com, you 
cannot 'ssh' to another computer with 'ssh test at example.com@devstation', 
but it still works with 'ssh test at samdom.example.com@devstation'

> 
> nsswitch.conf:
> 
> passwd: files ldap winbind systemd
> group: files ldap winbind systemd
> 
> ldap is provided by nslcd configured against AD.  `getent passwd` does return
> two entries per account so a bit of care with nscd is needed if that is active.

That is easy to fix, remove either 'ldap' or 'winbind', you really 
shouldn't be using both.

> 
> $ getent passwd | grep user
> user:*:1000:1000:My Name:/home/user:/bin/bash
> DOMAIN\user:*:1000:1000:My Name:/home/user:/bin/bash

The top one is coming from nslcd and the bottom from winbind.

Rowland