Discussion:
[Samba] Can I authenticate with windows UPN names using winbind? If so how?
john
2014-05-17 23:03:30 UTC
Permalink
Hi all,

I am trying to set up an linux server that allows users to log in via their
windows UPN names rather than their SamID's.

I have set up two test boxes:

debian linux 7 running Winbind Version 3.6.6
Ubuntu Linux 14.04 running Winbind version 4.1.6-Ubuntu.
smb.conf is at bottom of this post.

I've bound both linux boxen to our Active Directory Server running 2008R2
and can return domain usernames with the tools wbinfo and getent.

Wbinfo -n shows me the user's sid is mapped the same whether I use the
samID or UPN

# wbinfo -n testuser
S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)

# wbinfo -n testuser at example.org
S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)

I can log domain users onto my test linux servers using the samID. So a
user with a domain account can log on to the
ssh server with:

ssh testuser at xxx.xxx.xxx.xxx

but test users can't authenticate with the UPN formated names:

ssh testuser at ***@xxx.xxx.xxx.xxx
nor
testuser\@example.org at xxx.xxx.xxx.xxx
nor
testuser\@EXAMPLE.org at xxx.xxx.xxx.xxx


Can windows UPN logins work with Linux and Winbind?

Is there a better way to do this than winbind? E.G. via OpenLDAP, or SSSD?
I'd prefer to use winbind if possible since it currently works for us in
other contexts.

http://wiki.samba.org/index.php/Samba doesn't mention the UPN question at
all and looking back over postings on this list, I see plenty of questions,
but no answer saying "yes, do it like this, and here are the steps"


Thanks for your help!

John



Here's a copy of the smb.conf file I am using

[Global]
netbios name = LTSP
workgroup = LTSP
realm = EXAMPLE.ORG
server string = %h LTSP
security = ads
encrypt passwords = yes

idmap config * : backend = tdb
idmap config * : range = 10000-200000

winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
#winbind separator = +
winbind refresh tickets = yes

template shell = /bin/bash
template homedir = /home/%D/%U

preferred master = no
dns proxy = no
wins server = 10.114.5.51
wins proxy = no

inherit acls = Yes
map acl inherit = Yes
acl group control = yes

load printers = no
debug level = 3
use sendfile = no
Linda W
2014-05-21 23:57:21 UTC
Permalink
Post by john
Hi all,
I am trying to set up an linux server that allows users to log in via their
windows UPN names rather than their SamID's.
I've bound both linux boxen to our Active Directory Server running 2008R2
and can return domain usernames with the tools wbinfo and getent.
Wbinfo -n shows me the user's sid is mapped the same whether I use the
samID or UPN
I think it would be easier to use the 'Domain\User' format Would it work
to use the 'domain\user' format? You are more likely to get that to
work than using '@', as '@' has special meanings to many utils...
I.e. Since user at hostname with many utils, = "using user 'user', do
something on hostname. I.e. the '@' can't be part of a username as it
implies the "object"
host that the command acts upon.

How would "email", know joe at tomcat.com isn't meant to be addressed to "joe"
@ tomcat.com?
---
Local examples (not the best examples, because when I log into the
'server',
it's the PDC, so treats my domain account as a local account.

lw.Bliss> uname -a
CYGWIN_NT-6.1 Athenae 1.7.29(0.272/5/3) 2014-04-07 13:46 x86_64 Cygwin
lw.Bliss> id
uid=5013(Bliss\lw) gid=201(lwgroup)
groups=201(lwgroup),544(Administrators),545(Users),512(Bliss\Domain
Admins),513(Bliss\Domain Users) [...]
lw.Bliss> ssh 'Bliss\lw at ishtar'
Ishtar:lw> id
uid=5013(lw) gid=201(lwgroup)
groups=201(lwgroup),10(wheel),18(SYSTEM),42(trusted),512(Domain
Admins),513(Domain Users),544(Administrators) [...]
--------
In log:
May 21 16:36:52 Ishtar sshd[13042]: pam_winbind(sshd:account): user
'Bliss\lw'
granted access
May 21 16:36:52 Ishtar sshd[13042]: Accepted publickey for Bliss\\lw
from 192.168.4.12 port 59451 ssh2
----

I have both 'lw' & Bliss\lw in /etc/passwd. I also have a full upcase
version
in /etc/passwd since samba doesn't respect case in 3.6.x (it did ignored
case in 3.4 (preserving it)), but Samba broke windows compat by no longer
respecting (but ignoring) case.

My /etc/pw+grp files are "coordinated" so as to reserve unique ID's
between them.

I also use backend=nss and do not have separate ranges for the local PDC
accounts and Domain accounts.

You might want to make sure that your /etc/login.defs file (linux)
allows spaces and backslash in the "CHARACTER CLASS", like:
CHARACTER_CLASS <readability break>
[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_] <readability break>
[-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
<readability break>
_.\\/\
]*[-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$]\?


Please forgive me if this is really, not what you
want, and you really want the '@' separator.

Cheers!
john
2014-05-23 00:41:17 UTC
Permalink
Hi Linda,

First, thank you for your response.
Post by Linda W
I.e. Since user at hostname with many utils, = "using user 'user', do
implies the "object"
host that the command acts upon.
Sorry I wasn't clear. I want to be able to authenticate using the UPN
(user principal name) which has the format username at tld
currently I am able to login in with domain\username (aka the netbios login
name) which uses the Windows SamID field for the username portion of the
address.

Here's a very brief description of the difference
http://msdn.microsoft.com/en-us/library/windows/desktop/aa380525%28v=vs.85%29.aspx
As I may not be making myself clear.
Post by Linda W
Please forgive me if this is really, not what you
Cheers!
I would like to use the '@' seperator.

Thanks!

John
Andrew Bartlett
2014-05-23 04:53:44 UTC
Permalink
Post by john
Hi all,
I am trying to set up an linux server that allows users to log in via their
windows UPN names rather than their SamID's.
debian linux 7 running Winbind Version 3.6.6
Ubuntu Linux 14.04 running Winbind version 4.1.6-Ubuntu.
smb.conf is at bottom of this post.
I've bound both linux boxen to our Active Directory Server running 2008R2
and can return domain usernames with the tools wbinfo and getent.
Wbinfo -n shows me the user's sid is mapped the same whether I use the
samID or UPN
# wbinfo -n testuser
S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)
# wbinfo -n testuser at example.org
S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)
I can log domain users onto my test linux servers using the samID. So a
user with a domain account can log on to the
ssh testuser at xxx.xxx.xxx.xxx
nor
nor
Can windows UPN logins work with Linux and Winbind?
Is there a better way to do this than winbind? E.G. via OpenLDAP, or SSSD?
I'd prefer to use winbind if possible since it currently works for us in
other contexts.
http://wiki.samba.org/index.php/Samba doesn't mention the UPN question at
all and looking back over postings on this list, I see plenty of questions,
but no answer saying "yes, do it like this, and here are the steps"
It would require code changes. I've been looking over the
authentication code paths, and even when connecting over SMB with NTLM,
I suspect a lot of this isn't working. We split the user into domain
\user pretty early, and expect that the domain part means something.

Other parts of winbindd would also need to move away from a 'split the
username' pattern to a 'resolve the username' mode. In theory, we
should be able to punt most of this trouble to our DC, but it would be a
a development task in my view.

Sorry,

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Loading...