[Samba] [EXTERNAL] Re: Unable to authenticate to share using UPN
rpenny at samba.org
Tue Jun 27 18:16:52 UTC 2023
On 27/06/2023 18:49, Mike Robbert wrote:
> I am not trying to authenticate using the uid field. I would like it if
> we could, but I realize that is not possible. I believe that Samba is
> authenticating against the samaccountname field, but I believe that the
> protocol allows for authentication against the UPN field. The problem,
> as far as I can interpret from the logs, is that something in the Samba
> or Winbind code is mangling the username that is sent from the client
> such that the full UPN never gets tried against the DC.
> I don’t need chown to work with the UPN. We will be switching our idmap
> backend to use SSSD (idmap_sss provided by SSSD) and SSSD is mapping
> usernames to the uid field in AD with the ldap_user_name option in
> sssd.conf. I don’t know how they handle the fact that uid can have
> multiple values, but we are ensuring that all user objects only have a
> single uid value in our domain, so it seems to work fine for us.
I cannot stop you using sssd and I will not try, but I can point out,
from my testing, Samba will only use a UPN that matches the
samaccountname at kerberos.realm.tld format.
Whether this correct or not, I do not know, but it appears to be the way
that Samba works.
I should also point out that using sssd with Samba is unsupported by
> Am I missing some configuration option that will pass a full UPN from
> the client, through Samba/Winbind on to the AD DC without pulling off
> the UPN suffix? If this doesn’t currently exist what would it take to
> get it added to the code?
I know of no such option and if you want such an option, then I think
you or someone else would have to write the code and get it through the
More information about the samba