mathias dufresne
2015-Jul-01 16:44 UTC
[Samba] [samba] strange: 20 characters max in samAccountName
Thank you both precisions : ) My users have no "@" in their names (samAccountName nor userPrincipalName nor anything) except in mail attribute).>From https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspxwhich I read before initial post I understand AD can have this limitation of 20 chars if and only if you decide to support (so) old clients (that we should stop thinking about them). In first table the limit of 20 chars is there. In others tables this limit seems to me pushed up to 256 characters (range-upper line). Now I can read this table in the wrong way (that won't be the first time :), but I thought this limit was removed with AD without the option to support old clients... 2015-07-01 17:30 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:> Hello Mathias, > > as Rowland already said, it's an AD limitation. > > > Am 01.07.2015 um 16:44 schrieb mathias dufresne: > > I can log in using administrator account or any other having a short > > (enough) samAccountName. > > I tried to add @ad.domain.tld to samAccountName during log in process > > without any success. > > Even if the @ character is allowed, your sAMAccountName attributes > should't contain it! You will run into problems some day with it. It's > the same with spaces, umlauts, etc. > > If you see someone login with user at samdom.example.com, then this usually > isn't the sAMAccountName attribute. It's the value from the > userPrincipalName attribute. > > http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-76-18/3568.HSG_2D00_8_2D00_13_2D00_13_2D00_01.png > > If the account doesn't have a userPrincipalName attribute set, then you > can only use the value from sAMAccountName for login. > > > Regards, > Marc >
Rowland Penny
2015-Jul-01 16:56 UTC
[Samba] [samba] strange: 20 characters max in samAccountName
On 01/07/15 17:44, mathias dufresne wrote:> Thank you both precisions : ) > > My users have no "@" in their names (samAccountName nor userPrincipalName > nor anything) except in mail attribute).What have you got in userPrincipalName ?> > From https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx > which I read before initial post I understand AD can have this limitation > of 20 chars if and only if you decide to support (so) old clients (that we > should stop thinking about them).No, you cannot have more than 20 characters, it is set like this to support old clients, you do not get a choice.> In first table the limit of 20 chars is there. > In others tables this limit seems to me pushed up to 256 characters > (range-upper line).range-upper != size> > Now I can read this table in the wrong way (that won't be the first time > :), but I thought this limit was removed with AD without the option to > support old clients...No it wasn't Rowland> > 2015-07-01 17:30 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>: > >> Hello Mathias, >> >> as Rowland already said, it's an AD limitation. >> >> >> Am 01.07.2015 um 16:44 schrieb mathias dufresne: >>> I can log in using administrator account or any other having a short >>> (enough) samAccountName. >>> I tried to add @ad.domain.tld to samAccountName during log in process >>> without any success. >> Even if the @ character is allowed, your sAMAccountName attributes >> should't contain it! You will run into problems some day with it. It's >> the same with spaces, umlauts, etc. >> >> If you see someone login with user at samdom.example.com, then this usually >> isn't the sAMAccountName attribute. It's the value from the >> userPrincipalName attribute. >> >> http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-76-18/3568.HSG_2D00_8_2D00_13_2D00_13_2D00_01.png >> >> If the account doesn't have a userPrincipalName attribute set, then you >> can only use the value from sAMAccountName for login. >> >> >> Regards, >> Marc >>
mathias dufresne
2015-Jul-02 08:43 UTC
[Samba] [samba] strange: 20 characters max in samAccountName
Thank you again Rowland for precision : ) In userPrincipalName there is a "@". It is forged with cn at ad.domain.tld and cn is forged with firstname.sn, as samAccountName, which often is longer than 20 chars. I'll change that... Thank you again all, have a nice day! mathias 2015-07-01 18:56 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 01/07/15 17:44, mathias dufresne wrote: > >> Thank you both precisions : ) >> >> My users have no "@" in their names (samAccountName nor userPrincipalName >> nor anything) except in mail attribute). >> > > What have you got in userPrincipalName ? > > >> From https://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx >> which I read before initial post I understand AD can have this limitation >> of 20 chars if and only if you decide to support (so) old clients (that we >> should stop thinking about them). >> > > No, you cannot have more than 20 characters, it is set like this to > support old clients, you do not get a choice. > > In first table the limit of 20 chars is there. >> In others tables this limit seems to me pushed up to 256 characters >> (range-upper line). >> > > range-upper != size > > >> Now I can read this table in the wrong way (that won't be the first time >> :), but I thought this limit was removed with AD without the option to >> support old clients... >> > > No it wasn't > > Rowland > > >> 2015-07-01 17:30 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>: >> >> Hello Mathias, >>> >>> as Rowland already said, it's an AD limitation. >>> >>> >>> Am 01.07.2015 um 16:44 schrieb mathias dufresne: >>> >>>> I can log in using administrator account or any other having a short >>>> (enough) samAccountName. >>>> I tried to add @ad.domain.tld to samAccountName during log in process >>>> without any success. >>>> >>> Even if the @ character is allowed, your sAMAccountName attributes >>> should't contain it! You will run into problems some day with it. It's >>> the same with spaces, umlauts, etc. >>> >>> If you see someone login with user at samdom.example.com, then this usually >>> isn't the sAMAccountName attribute. It's the value from the >>> userPrincipalName attribute. >>> >>> >>> http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-76-18/3568.HSG_2D00_8_2D00_13_2D00_13_2D00_01.png >>> >>> If the account doesn't have a userPrincipalName attribute set, then you >>> can only use the value from sAMAccountName for login. >>> >>> >>> Regards, >>> Marc >>> >>> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >