similar to: Joining a DC, was (no subject)

On Sun, 3 Mar 2019 13:14:35 +0000 (UTC) Billy Bob <billysbobs at yahoo.com> wrote: > > > > > > The 'Nooooo, don't do that is: > > > > > Don't change the UPN > > > > > > > > Why not? It's a recommended best practice to choose a subdomain > > > > of your primary domain (e.g. "ad.example.com"), and

Thanks for the input, Rowland! Replies inline: On Fri, Mar 1, 2019 at 8:57 AM Rowland Penny via samba <samba at lists.samba.org> wrote: [snip] > The 'Nooooo, don't do that is: > Don't change the UPN Why not? It's a recommended best practice to choose a subdomain of your primary domain (e.g. "ad.example.com"), and then add alternate UPN suffix which allows

> > > > The 'Nooooo, don't do that is: > > > > Don't change the UPN > > > > > > Why not? It's a recommended best practice to choose a subdomain of > > > your primary domain (e.g. "ad.example.com"), and then add alternate > > > UPN suffix which allows user logons to match their email addresses. > > >

On 09.07.20 18:59, Bernhard Dick via samba wrote: > Hi, > > Am 02.07.2020 um 17:23 schrieb Martin Hauptmann via samba: >> Sorry if I didn't find the right manual. >> >> I would like to set up a new Domain Controller and connect it to an >> existing Office 365 with Exchange in a way, AD-Users of a certain >> group can login and not having to login to

I *think* we're all on the same page now. My suggestion was adding an additional entry to the UPN Suffixes list, and using that suffix (without "ad.") when creating new users. This Microsoft doc [1] says: > By convention, this should map to the user's email name. The point of > the UPN is to consolidate the email and logon namespaces so that the > user only needs to

Hai   After my squid group adventure, i have a remaining question here.   The problem was as followed. ( and this probely dont applie to squid kerberos helpers only. )   samba-tool setup for squid i used, was as followed.   samba-tool user create squid1-service --description="Unprivileged user for SQUID1-Proxy Services" --random-password samba-tool user setexpiry

Dear all, i'm investigating the issue that I can't authenticate against a Samba (as Active-Directory Member) using the userPrincipalName (UPN). (Using Samba and sAMAccountName works fine.) After some research I'm quite sure that winbind is limited to the sAMAccountName and can't use UPN. So I deciced to use SSSD and configured the `ldap_user_name = userPrincipalName` in the

Am 14.10.20 um 08:31 schrieb Nico Kadel-Garcia via samba: > On Tue, Oct 13, 2020 at 10:30 AM Rowland penny via samba > <samba at lists.samba.org> wrote: >> On 13/10/2020 15:01, Markus Jansen via samba wrote: >>> Thank you very much for your hints. >>> >>> I got rid of SSSD and managed to get a successful kerberos >>> authentication via wbinfo

Hello, I'm running a Samba DC on Debian 9 (version 4.5.12-Debian) in a lab environment, set up like this: https://jonathonreinhart.com/posts/blog/2019/02/11/setting-up-a-samba-4-domain-controller-on-debian-9/ I would now like to configure this server to enable login via domain credentials. I'm aware that the Samba wiki recommends the following: -

Mandi! Rowland penny via samba In chel di` si favelave... > You are authenticating to AD, so you need to use information that AD > understands, its dns domain (not an email domain) and the users name, or the > Netbios domain\username. But UPN is written 'domainful', eg 'username at ad.domain.name': root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b

On Tue, 2023-04-04 at 09:37 +0200, Kees van Vloten wrote: > Op 04-04-2023 om 00:32 schreef Andrew Bartlett: > > > > > On Mon, 2023-04-03 at 15:08 +0000, Tim ODriscoll via samba wrote: > > > > > Unfortunately it's still erroring out: > > > (7) mschap: Creating challenge hash with username: host/SL-6S4BBS3.MYDOMAIN.co.uk > > > (7) mschap:

On 13/10/2020 15:01, Markus Jansen via samba wrote: > Thank you very much for your hints. > > I got rid of SSSD and managed to get a successful kerberos > authentication via wbinfo -K and the UPN. > > But accessing via SMB (using MAC OS' smbutil or Finder) still fails with > "FAILED with error NT_STATUS_NO_SUCH_USER". > > As I'm using CentOS 8, I used

Hi all, I just add into my AD a user with different values for attributes "CN" and "name". Here is an extract of the LDIF used to add this user: ------------------------------------------------------------------------------------ dc202:~# egrep 'cn:|name:' mathias.ldif cn: Mathias Dufresne (CN) *name: mathias.dufresne*

And reading last mails comforts me in believing the filter used by client side to retrieve user is not correct, that filter should use SPN then you won't need to set up SPN into UPN field. 2016-08-30 15:55 GMT+02:00 mathias dufresne <infractory at gmail.com>: > Hi Louis, > > > 2016-08-29 16:18 GMT+02:00 L.P.H. van Belle via samba < > samba at lists.samba.org>: >

We want to know if Samba 4 supports UPN for AD authentication. Thanks. Angelica

Hi! The command "samba-tool testparm -v" returns "template homedir = /home/%WORKGROUP%/%ACCOUNTNAME%". Is there other variables that can be used? It is possible to add one or more uPNSuffixes to Samba 4 AD DC to alter the userPrincipalName. Both on the "domain" level (cn=uPNSuffixes,cn=Partitions,...) and on OU-level (cn=uPNSuffixes,ou=example.org,dc=...) But is it

hello Achim, yes, if you change the  userPrincipalName LDAP attributethats suffient, thats what i changed through the windows tool. greetz, Louis Op 29 aug. 2016 om 19:42 heeft Achim Gottinger via samba <samba at lists.samba.org> het volgende geschreven: Am 29.08.2016 um 17:17 schrieb L.P.H. van Belle via samba: No, That was not sufficient, i had to use the windows tool to

Hi Samba-Group, my name is carsten from cologne. I would like to use samba/winbind in a Windows AD 2k3, 2k8 multi-domain environment as workstation. All users from the AD should be able to logon via ssh for example. It would great to use the MS userprincipalName (UPN). I am using samba 3.2.6.37 from sernet on a centos 5.2 system. The normal authentication by domain+username works fine.

> Does it work if you manually add userPrincipalName=CLIENT02.DOMAIN.TLD to your clients ldap entry and reexport the keytab? I already thought about trying that. So by now, I tried tweaking the client's LDAP entry. Adding userPrincipalName=CLIENT02.DOMAIN.TLD does not succeeed, however, after reviewing the ldap filter once again, I added userPrincipalName=nfs/client02.domain.tld at

Hi, On 10/29/20 12:51 PM, Rowland penny via samba wrote: > Are we talking from Windows here ? Yes. > If so, then 'username at dns.domain.com' should work. dns in the above sample meaning the samba AD dns name, i guess..? In that case, that basically means username at samba.domain.com, or username at realm, which also equals the above) That is still something for our end users