john
2014-May-17 23:03 UTC
[Samba] Can I authenticate with windows UPN names using winbind? If so how?
Hi all, I am trying to set up an linux server that allows users to log in via their windows UPN names rather than their SamID's. I have set up two test boxes: debian linux 7 running Winbind Version 3.6.6 Ubuntu Linux 14.04 running Winbind version 4.1.6-Ubuntu. smb.conf is at bottom of this post. I've bound both linux boxen to our Active Directory Server running 2008R2 and can return domain usernames with the tools wbinfo and getent. Wbinfo -n shows me the user's sid is mapped the same whether I use the samID or UPN # wbinfo -n testuser S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1) # wbinfo -n testuser at example.org S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1) I can log domain users onto my test linux servers using the samID. So a user with a domain account can log on to the ssh server with: ssh testuser at xxx.xxx.xxx.xxx but test users can't authenticate with the UPN formated names: ssh testuser at example.org@xxx.xxx.xxx.xxx nor testuser\@example.org at xxx.xxx.xxx.xxx nor testuser\@EXAMPLE.org at xxx.xxx.xxx.xxx Can windows UPN logins work with Linux and Winbind? Is there a better way to do this than winbind? E.G. via OpenLDAP, or SSSD? I'd prefer to use winbind if possible since it currently works for us in other contexts. http://wiki.samba.org/index.php/Samba doesn't mention the UPN question at all and looking back over postings on this list, I see plenty of questions, but no answer saying "yes, do it like this, and here are the steps" Thanks for your help! John Here's a copy of the smb.conf file I am using [Global] netbios name = LTSP workgroup = LTSP realm = EXAMPLE.ORG server string = %h LTSP security = ads encrypt passwords = yes idmap config * : backend = tdb idmap config * : range = 10000-200000 winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes #winbind separator = + winbind refresh tickets = yes template shell = /bin/bash template homedir = /home/%D/%U preferred master = no dns proxy = no wins server = 10.114.5.51 wins proxy = no inherit acls = Yes map acl inherit = Yes acl group control = yes load printers = no debug level = 3 use sendfile = no
Linda W
2014-May-21 23:57 UTC
[Samba] Can I authenticate with windows UPN names using winbind? If so how?
john wrote:> Hi all, > > I am trying to set up an linux server that allows users to log in via their > windows UPN names rather than their SamID's. > > > I've bound both linux boxen to our Active Directory Server running 2008R2 > and can return domain usernames with the tools wbinfo and getent. > > Wbinfo -n shows me the user's sid is mapped the same whether I use the > samID or UPNI think it would be easier to use the 'Domain\User' format Would it work to use the 'domain\user' format? You are more likely to get that to work than using '@', as '@' has special meanings to many utils... I.e. Since user at hostname with many utils, = "using user 'user', do something on hostname. I.e. the '@' can't be part of a username as it implies the "object" host that the command acts upon. How would "email", know joe at tomcat.com isn't meant to be addressed to "joe" @ tomcat.com? --- Local examples (not the best examples, because when I log into the 'server', it's the PDC, so treats my domain account as a local account. lw.Bliss> uname -a CYGWIN_NT-6.1 Athenae 1.7.29(0.272/5/3) 2014-04-07 13:46 x86_64 Cygwin lw.Bliss> id uid=5013(Bliss\lw) gid=201(lwgroup) groups=201(lwgroup),544(Administrators),545(Users),512(Bliss\Domain Admins),513(Bliss\Domain Users) [...] lw.Bliss> ssh 'Bliss\lw at ishtar' Ishtar:lw> id uid=5013(lw) gid=201(lwgroup) groups=201(lwgroup),10(wheel),18(SYSTEM),42(trusted),512(Domain Admins),513(Domain Users),544(Administrators) [...] -------- In log: May 21 16:36:52 Ishtar sshd[13042]: pam_winbind(sshd:account): user 'Bliss\lw' granted access May 21 16:36:52 Ishtar sshd[13042]: Accepted publickey for Bliss\\lw from 192.168.4.12 port 59451 ssh2 ---- I have both 'lw' & Bliss\lw in /etc/passwd. I also have a full upcase version in /etc/passwd since samba doesn't respect case in 3.6.x (it did ignored case in 3.4 (preserving it)), but Samba broke windows compat by no longer respecting (but ignoring) case. My /etc/pw+grp files are "coordinated" so as to reserve unique ID's between them. I also use backend=nss and do not have separate ranges for the local PDC accounts and Domain accounts. You might want to make sure that your /etc/login.defs file (linux) allows spaces and backslash in the "CHARACTER CLASS", like: CHARACTER_CLASS <readability break> [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_] <readability break> [-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 <readability break> _.\\/\ ]*[-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$]\? Please forgive me if this is really, not what you want, and you really want the '@' separator. Cheers!
Andrew Bartlett
2014-May-23 04:53 UTC
[Samba] Can I authenticate with windows UPN names using winbind? If so how?
On Sat, 2014-05-17 at 16:03 -0700, john wrote:> Hi all, > > I am trying to set up an linux server that allows users to log in via their > windows UPN names rather than their SamID's. > > I have set up two test boxes: > > debian linux 7 running Winbind Version 3.6.6 > Ubuntu Linux 14.04 running Winbind version 4.1.6-Ubuntu. > smb.conf is at bottom of this post. > > I've bound both linux boxen to our Active Directory Server running 2008R2 > and can return domain usernames with the tools wbinfo and getent. > > Wbinfo -n shows me the user's sid is mapped the same whether I use the > samID or UPN > > # wbinfo -n testuser > S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1) > > # wbinfo -n testuser at example.org > S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1) > > I can log domain users onto my test linux servers using the samID. So a > user with a domain account can log on to the > ssh server with: > > ssh testuser at xxx.xxx.xxx.xxx > > but test users can't authenticate with the UPN formated names: > > ssh testuser at example.org@xxx.xxx.xxx.xxx > nor > testuser\@example.org at xxx.xxx.xxx.xxx > nor > testuser\@EXAMPLE.org at xxx.xxx.xxx.xxx > > > Can windows UPN logins work with Linux and Winbind? > > Is there a better way to do this than winbind? E.G. via OpenLDAP, or SSSD? > I'd prefer to use winbind if possible since it currently works for us in > other contexts. > > http://wiki.samba.org/index.php/Samba doesn't mention the UPN question at > all and looking back over postings on this list, I see plenty of questions, > but no answer saying "yes, do it like this, and here are the steps"It would require code changes. I've been looking over the authentication code paths, and even when connecting over SMB with NTLM, I suspect a lot of this isn't working. We split the user into domain \user pretty early, and expect that the domain part means something. Other parts of winbindd would also need to move away from a 'split the username' pattern to a 'resolve the username' mode. In theory, we should be able to punt most of this trouble to our DC, but it would be a a development task in my view. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba