Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Authenticate using AD UPN name
138 views
Skip to first unread message
Björn Ramberg
Feb 9, 2016, 2:30:05 PM2/9/16
to
Hey,
I am running Ubuntu Trusty 14.04.3 with samba and winbind version
4.1.6-Ubuntu. Its run in a windows domain env which is running an AD on
2008 R2 servers.
I can login just fine with using the AD accounts sam name. However, the
question is now if all machines on the domain can use the AD UPN to login
instead of the sam. I have looked around a bit and found a few old posts
about this.
This post which is not that old to be fair:
https://lists.samba.org/archive/samba/2014-May/181561.html is pointing out
that very early in the authentication the domain\user is spilt up by
winbind and the UPN wouldn’t perhaps get mapped correctly.The post ends up
mentioning that it would be a development task. I have been looking around
in the change logs for later versions of samba, but couldn’t find anything
relating to UPN name.
So the more general question, is there anyone who has got this working
under any circumstances, logging in/authenticating with UPN through
winbind? Is it possible?
@Samba devs: Thanks for your tireless and awesome work with samba and
winbind.
Kind regards,
Björn
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I am running Ubuntu Trusty 14.04.3 with samba and winbind version
4.1.6-Ubuntu. Its run in a windows domain env which is running an AD on
2008 R2 servers.
I can login just fine with using the AD accounts sam name. However, the
question is now if all machines on the domain can use the AD UPN to login
instead of the sam. I have looked around a bit and found a few old posts
about this.
This post which is not that old to be fair:
https://lists.samba.org/archive/samba/2014-May/181561.html is pointing out
that very early in the authentication the domain\user is spilt up by
winbind and the UPN wouldn’t perhaps get mapped correctly.The post ends up
mentioning that it would be a development task. I have been looking around
in the change logs for later versions of samba, but couldn’t find anything
relating to UPN name.
So the more general question, is there anyone who has got this working
under any circumstances, logging in/authenticating with UPN through
winbind? Is it possible?
@Samba devs: Thanks for your tireless and awesome work with samba and
winbind.
Kind regards,
Björn
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
Feb 10, 2016, 8:40:04 AM2/10/16
to
Hi,
By "logging in/authenticating with UPN through winbind" you are speaking
about using UPN on Linux or UNIX clients when these clients are generating
local users from AD using winbind?
Kindly regards,
mathias
By "logging in/authenticating with UPN through winbind" you are speaking
about using UPN on Linux or UNIX clients when these clients are generating
local users from AD using winbind?
Kindly regards,
mathias
Björn Ramberg
Feb 10, 2016, 9:40:04 AM2/10/16
to
Hi,
Thanks for answering.
Yes, the linux machines are joined to the domain through samba and are
using the AD accounts on their linux clients to logon and authenticate
through winbind.
Using the AD accounts samid to logon is just fine, the question is if its
possible to use the UPN instead of the samid to login.
Kind regards,
Björn
On Wed, Feb 10, 2016 at 2:33 PM mathias dufresne <infra...@gmail.com>
wrote:
Thanks for answering.
Yes, the linux machines are joined to the domain through samba and are
using the AD accounts on their linux clients to logon and authenticate
through winbind.
Using the AD accounts samid to logon is just fine, the question is if its
possible to use the UPN instead of the samid to login.
Kind regards,
Björn
On Wed, Feb 10, 2016 at 2:33 PM mathias dufresne <infra...@gmail.com>
wrote:
mathias dufresne
Feb 10, 2016, 10:00:04 AM2/10/16
to
I think it is not yet possible because Winbind (when retrieving user from
AD) is not yet meant to be configured to much, it is meant to produce
Windows equivalent users for these users, on Linux side, use the
information as on Windows clients side. This because when accessing a Samba
share from a Windows client with a Samba AD account, on file server side
the user must have same information as in windows (for file ownership).
Following same idea Winbind is (or was) not meant to use uidNumber /
gidNumber for user on linux side as these information are related to the
Linux/UNIX part of users.
In other words: in windows the default group of a user into an AD domain is
"domain users". In gidNumber you could use anything that suit your needs.
When a AD user connected on Windows client creates some file on Samba file
server, the group of newly created file should be "Domain users" and not
the content of gidNumber which is Linux/UNIX main group.
Anyway, I'm not winbind specialist and I could have missed something.
Someone would correct me in that case ;)
Cheers,
mathias
AD) is not yet meant to be configured to much, it is meant to produce
Windows equivalent users for these users, on Linux side, use the
information as on Windows clients side. This because when accessing a Samba
share from a Windows client with a Samba AD account, on file server side
the user must have same information as in windows (for file ownership).
Following same idea Winbind is (or was) not meant to use uidNumber /
gidNumber for user on linux side as these information are related to the
Linux/UNIX part of users.
In other words: in windows the default group of a user into an AD domain is
"domain users". In gidNumber you could use anything that suit your needs.
When a AD user connected on Windows client creates some file on Samba file
server, the group of newly created file should be "Domain users" and not
the content of gidNumber which is Linux/UNIX main group.
Anyway, I'm not winbind specialist and I could have missed something.
Someone would correct me in that case ;)
Cheers,
mathias
0 new messages