Angelica Delgado
2013-Oct-20 16:50 UTC
[Samba] Does Samba 4 support UPN for AD authentication
We want to know if Samba 4 supports UPN for AD authentication. Thanks. Angelica
Andrew Bartlett
2013-Oct-21 19:21 UTC
[Samba] Does Samba 4 support UPN for AD authentication
On Sun, 2013-10-20 at 11:50 -0500, Angelica Delgado wrote:> We want to know if Samba 4 supports UPN for AD authentication.Yes, we do (at least in theory). If you have issues, please let us know and help us write up some tests for our selftest system. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
> Yes, we do (at least in theory). If you have issues, please let us know > and help us write up some tests for our selftest system.> Andrew BartlettHi Andrew, One difference I have noticed is in the returned Principal Type. While samba is able to authenticate with eUPN using NT-Enterprise principal name type, the returned principal type is NT-Principal. Later when we try to use this TGT, samba refuses saying Client not found. Eg: Consider a user like: samAccountName: john userPrincipalName: johnny5 at mail.com This works:> kinit -E johnny5 at mail.comBut the returned TGT contains NT-Principal: johnny5 Obviously, when we later try to use this ticket it is unable to find a user called "johnny5" I think the canonicalization of the principal name has a problem in samba4. The same operation when tried against an AD, returns a TGT containing: NT-Enterprise: johnny5\@mail.com So this TGT is reusable later. Net effect is I was unable to do a windows logon with johnny5 at mail.comagainst Samba but was able to do it against AD. Kerberos is very complicated. Let me know if I am making any wrong assumptions. Thanks!