Re: [Samba] Joining a DC, was (no subject)
- Date: Sun, 3 Mar 2019 12:30:51 +0000 (UTC)
- From: Billy Bob via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Joining a DC, was (no subject)
> > > The 'Nooooo, don't do that is:
> > > Don't change the UPN
> > Why not? It's a recommended best practice to choose a subdomain of
> > your primary domain (e.g. "ad.example.com"), and then add alternate
> > UPN suffix which allows user logons to match their email addresses.
> > In fact, this page on the Samba Wiki recommends just that:
> > https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#My_User_Logins_Does_Not_Match_My_Email
> It wont for long ;-)
> The UPN is single valued, you can only have one.
> It is the logon name for the user and is composed of the users account
> name, the '@' sign and a dns domain name. This dns domain must be a
> domain in the current domain forest, which means (on a Samba DC, at
> least) the same thing.
> If you need an email attribute that doesn't match the UPN, use on of the
> email attributes that AD provides.
Are you sure about making this change to the documentation. The attribute being added is the not single-valued UPN-Suffixes (uPNSuffixes) rather than the single-valued User-Principal-Name (userPrincipalName), despite this thread repeatedly saying "change" the UPN.
It appears from the Microsoft documentation that the suffixes (multiple allowed) provide a mapping to the UPN, rather than change it, and one of the named security benefits is to hide the actual UPN. In any case, it also appears that many newer MS products, e.g. Azure, Outlook 2016, etc. _require_ the login name to match the e-mail address.
Please look at this again before committing to the documentation change, which seems to diverge from the goal of making SAMBA work like a Windows AD DC.
Here are some MS documents (contemporaneous with document linked in documentation prior to this change):
and in this one,
it is noted that:
"A UPN suffix has the following restrictions:
It must be the DNS name of a domain, but does not need to be the name of the domain that contains the user.
It must be the name of a domain in the current domain forest, or an alternate name listed in the upnSuffixes attribute of the Partitions container within the Configuration container."
NOTE the "or" in the last requirement. It does not need to be "a domain in the current domain forest" and it seems that the whole (major) point of the suffix to be able to use a logon name at a higher level in the forest hierarchy than where the AD DC sits.
To unsubscribe from this list go to the following URL and read the