Angelos Oikonomopoulos
2011-Feb-03 09:39 UTC
[Samba] Access to s3 shares when userPrincipalName differs from the sAMAccountName
Hello all, I've been trying to use a Samba3 fileserver with security = ADS in a domain where the DC is Samba4. It all seems to work, except for users with long names. What happens is that users can log in to the domain with their userPrincipalName as well as the sAMAccountName. Unfortunately, if the username is longer than 20 characters (which, because of our username = first_name.last_name policy, is the case for a few users), then the userPrincipalName and the sAMAccountName differ. So when users that have logged in using their userPrincipalName try to access a share on the Samba3 server, they try to authenticate using the userPrincipalName, which winbind doesn't know about, and fail. This looks to be a problem that a lot of people should have run into over the past few years, but I haven't been able to find any clues by searching the mailing list archives. Is there a workaround I could use? At the moment my options seem to be: 1) Ask users with long names to only log in using the sAMAccountName. This is very suboptimal of course. 2) Change these users' userPrincipalName to be the same as the sAMAccountName so that they will /have/ to use the sAMAccountName to log in. Doable but ugly and it will complicate our email setup too. 3) Find a magic GPO configuration option that will force windows clients to always use the sAMAccountName to authenticate when accessing a network share. After a few hours searching on the web and manually going through each option in the GPO editor, there doesn't appear to be such a setting. 4) Hack winbindd to do an ldap search to convert the userPrincipalName to the sAMAccountName when it is obvious we're dealing with the former (i.e. when it's larger than 20 characters). 5) Hack winbindd to trim the username so that the userPrincipalName will be converted to the sAMAccountName. I can't even imagine the ways this could break and it would be a huge burden to maintain such hacks in the long term. Any insight on this? I'm sure there's a better option! Thanks, Aggelos
Andrew Bartlett
2011-Feb-04 01:30 UTC
[Samba] Access to s3 shares when userPrincipalName differs from the sAMAccountName
On Thu, 2011-02-03 at 10:39 +0100, Angelos Oikonomopoulos wrote:> Hello all, > > I've been trying to use a Samba3 fileserver with security = ADS in a > domain where the DC is Samba4. It all seems to work, except for users > with long names.Is the authentication using NTLM or Kerberos? Either way, this is unlikely to be a Samba3 bug, given that it's not been raised before, so perhaps re-raise the issue on samba-technical, with network traces etc to show what's going on, and I'll happily look into it for you. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
Maybe Matching Threads
- strange: 20 characters max in samAccountName
- strange: 20 characters max in samAccountName
- strange: 20 characters max in samAccountName
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.
- Samba SSSD authentication via userPrincipalName does not work because samba claims that the username does not exist.