samba - Feb 2023 - UPN as username instead of SAMAccountname

> Date: Wed, 22 Feb 2023 10:38:27 +0100 (CET)
> From: Leon Benthaus <leon.benthaus at mailbox.org>
> To: samba at lists.samba.org
> Subject: Re: [Samba] UPN as username instead of SAMAccountname
> 
> Thank you Rowland. At least I have a definite answer now. :)
> 
> I will see if my colleagues are fine with this.
> 
> Best, Leon
> 
> > Rowland Penny via samba <samba at lists.samba.org> hat am
22.02.2023 10:27 CET geschrieben:
> > 
> >  
> > On 22/02/2023 08:45, Leon Benthaus via samba wrote:
> > > Dear all,
> > >   
> > > since I didn't get an answer I would carefully ask again.
Maybe this is just a quick yes or no question:
> > >   
> > > Is there any known way to get winbind to accept UPNs as username
instead of the samaccountname? All the threads I found online regarding this are
really old.
> > >   
> > > Best,
> > > Leon
> > 
> > 
> > NO
> > 
> > Well, you wanted a quick answer ;-)
> > 
> > Long answer: Whilst you can change the UPN to anything that looks like
> > an email (so you could use it as an email address), you cannot use it
to
> > log in.
> > 
> > Rowland
I have this working on an Ubuntu system by adding krb5 to the pam auth stack:

auth    [success=4 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=3 default=ignore]      pam_unix.so nullok try_first_pass
auth    [success=2 default=ignore]      pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000
use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so

With this all these variations work:

ssh user at host
ssh user at ad.realm@host
ssh DOMAIN\\user at host

nsswitch.conf:

passwd: files ldap winbind systemd
group: files ldap winbind systemd

ldap is provided by nslcd configured against AD.  `getent passwd` does return
two entries per account so a bit of care with nscd is needed if that is active.

$ getent passwd | grep user
user:*:1000:1000:My Name:/home/user:/bin/bash
DOMAIN\user:*:1000:1000:My Name:/home/user:/bin/bash

James

On 22/02/2023 14:48, James Dingwall via samba wrote:
>> Date: Wed, 22 Feb 2023 10:38:27 +0100 (CET)
>> From: Leon Benthaus <leon.benthaus at mailbox.org>
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] UPN as username instead of SAMAccountname
>>
>> Thank you Rowland. At least I have a definite answer now. :)
>>
>> I will see if my colleagues are fine with this.
>>
>> Best, Leon
>>
>>> Rowland Penny via samba <samba at lists.samba.org> hat am
22.02.2023 10:27 CET geschrieben:
>>>
>>>   
>>> On 22/02/2023 08:45, Leon Benthaus via samba wrote:
>>>> Dear all,
>>>>    
>>>> since I didn't get an answer I would carefully ask again.
Maybe this is just a quick yes or no question:
>>>>    
>>>> Is there any known way to get winbind to accept UPNs as
username instead of the samaccountname? All the threads I found online regarding
this are really old.
>>>>    
>>>> Best,
>>>> Leon
>>>
>>>
>>> NO
>>>
>>> Well, you wanted a quick answer ;-)
>>>
>>> Long answer: Whilst you can change the UPN to anything that looks
like
>>> an email (so you could use it as an email address), you cannot use
it to
>>> log in.
>>>
>>> Rowland
> 
> I have this working on an Ubuntu system by adding krb5 to the pam auth
stack:
> 
> auth    [success=4 default=ignore]      pam_krb5.so minimum_uid=1000
> auth    [success=3 default=ignore]      pam_unix.so nullok try_first_pass
> auth    [success=2 default=ignore]      pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
> auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000
use_first_pass
> # here's the fallback if no module succeeds
> auth    requisite                       pam_deny.so
> 
> With this all these variations work:
> 
> ssh user at host
> ssh user at ad.realm@host
> ssh DOMAIN\\user at host
That works for myself, what doesn't appear to work (not for me) is if 
the AD domain is samdom.example.com and you change a users UPN to 
'user at example.com'.
For example, if you have a user called 'test' with the UPN of 
test at samdom.example.com and you change it to test at example.com, you 
cannot 'ssh' to another computer with 'ssh test at
example.com@devstation',
but it still works with 'ssh test at samdom.example.com@devstation'
> 
> nsswitch.conf:
> 
> passwd: files ldap winbind systemd
> group: files ldap winbind systemd
> 
> ldap is provided by nslcd configured against AD.  `getent passwd` does
return
> two entries per account so a bit of care with nscd is needed if that is
active.
That is easy to fix, remove either 'ldap' or 'winbind', you
really
shouldn't be using both.
> 
> $ getent passwd | grep user
> user:*:1000:1000:My Name:/home/user:/bin/bash
> DOMAIN\user:*:1000:1000:My Name:/home/user:/bin/bash
The top one is coming from nslcd and the bottom from winbind.

Rowland