Does Samba support UPN authentication using NTLM?

Wed Aug 31 02:38:45 UTC 2016

I have attached to gdb and found the place at where exactly smbclient is constructing the account name by excluding the realm.

(gdb) bt
#0 cli_session_setup_get_account () at ../source3/libsmb/cliconnect.c:1705
#1 0x00007ffff6b5e18d in cli_session_setup_spnego_send () at ../source3/libsmb/cliconnect.c:1764
#2 0x00007ffff6b5ef29 in cli_session_setup_send () at ../source3/libsmb/cliconnect.c:2019
#3 0x00007ffff6b5f865 in cli_session_setup () at ../source3/libsmb/cliconnect.c:2208
#4 0x00007ffff6b899f9 in do_connect () at ../source3/libsmb/clidfs.c:198
#5 0x00007ffff6b89ffb in cli_cm_connect () at ../source3/libsmb/clidfs.c:321
#6 0x00007ffff6b8a3cf in cli_cm_open () at ../source3/libsmb/clidfs.c:424
#7 0x0000555555568c12 in process () at ../source3/client/client.c:5497
#8 0x0000555555569fdf in main (argc=3, argv=0x7fffffffe5f8) at ../source3/client/client.c:5924

This is where it checks for ‘@‘ and truncates the username.

cli_session_setup_get_account()

..
  p = strchr_m(account, '@');
if (p != NULL) {
*p = '\0';
}
..

Not sure if this helps in trusted domain user authentication case where we will need to know the DOMAIN workgroup information to construct DOMAIN\user format.

Thanks,
Hemanth.

On 8/30/16, 7:36 PM, "Jeremy Allison" <jra at samba.org> wrote:

>On Wed, Aug 31, 2016 at 12:35:10AM +0000, Hemanth Thummala wrote:
>> Hi Jeremy,
>> 
>> Thanks for the quick response. Here I have attached the winbindd.log and client.log. User name is “user9”.
>
>Not sure if this has what I need. It may be that
>smbclient does the conversion from user at domain to
>user\DOMAIN before going onto the wire.
>
>Can you also send the debug level 10 from the
>smbclient -d10 command ?
>
>> On 8/30/16, 5:18 PM, "Jeremy Allison" <jra at samba.org> wrote:
>> 
>> >On Tue, Aug 30, 2016 at 11:34:51PM +0000, Hemanth Thummala wrote:
>> >> Hi,
>> >> 
>> >> We are using samba 4.3.11 stack as a member server. We could see that authentication for UPN(user at domain) formats failing with STATUS NO SUCH USER. Looking at the code, we are not actually converting the UPN to DOMAIN\USER format before contacting the DC. Whereas UPN access works fine with Kerberos auth.
>> >> 
>> >> What I understood is that NTLM doesn’t support UPN format. We might want to convert the user format(to DOMAIN\user) before checking with DC which we are not doing currently. I would like to know if there is any plan to support this in future.
>> >> 
>> >> On the other hand, I could see that smbclient works with UPN format. Looks like we are converting the name format here to DOMAIN\user. I couldn’t trace out the place where we do this conversion. If we could do the conversion here, can't we use the same thing in winbindd as well?
>> >
>> >Can you post the debug level 10 log from the smbclient working
>> >with UPN and converting to DOMAIN\user. We should be able to
>> >spot the point at which the conversion takes place from the
>> >logs produced (and then we can look into doing the same
>> >elsewhere).
>
>
>