Web lists-archives.com

Re: [Samba] Joining a DC, was (no subject)




On Sun, 3 Mar 2019 13:14:35 +0000 (UTC)
Billy Bob <billysbobs@xxxxxxxxx> wrote:

> 
> > > > > The 'Nooooo, don't do that is:
> > > > > Don't change the UPN
> > > > 
> > > > Why not? It's a recommended best practice to choose a subdomain
> > > > of your primary domain (e.g. "ad.example.com"), and then add
> > > > alternate UPN suffix which allows user logons to match their
> > > > email addresses.
> > > > 
> > > > In fact, this page on the Samba Wiki recommends just that:
> > > > https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#My_User_Logins_Does_Not_Match_My_Email
> > > 
> > > It wont for long ;-)
> > > The UPN is single valued, you can only have one.
> > > It is the logon name for the user and is composed of the users
> > > account name, the '@' sign and a dns domain name. This dns domain
> > > must be a domain in the current domain forest, which means (on a
> > > Samba DC, at least) the same thing.
> > > If you need an email attribute that doesn't match the UPN, use on
> > > of the email attributes that AD provides.
> 
> > Are you sure about making this change to the documentation. The
> > attribute being added is the not single-valued UPN-Suffixes
> > (uPNSuffixes) rather than the single-valued User-Principal-Name
> > (userPrincipalName), despite this thread repeatedly saying "change"
> > the UPN.
> 
> ... actually, am okay with change to documentation, but not with
> characterization of what OP is doing. In the blog post he was only
> setting a upnSuffix, and not trying to change the UPN, and people
> screamed "Don't change the UPN," seemingly confusing the issue. 


OK, I will hold my hand up, I misread his blog :-( 
To be honest I just skimmed it and missed that he was adding a UPN
suffix and not changing the UPN.

I think he needs to make it a bit more obvious ;-)

>Isn't he right to ask, "why not?"

Yes.

> Are people trying to say that the upnSuffix attribute doesn't work in
> SAMBA like Microsoft says it should in a Windows AD DC? 

I do not know, I have never tried them, but this could be one of those
things (from a Samba point of view) where the code doesn't exist for it
to work on a Samba DC, they should work on Windows machines.

>The suffix should allow a logon of "user@xxxxxxxxxx" even if the AD
>domain is "abc.domain.com" and the UPN is therefore "user@xxxxxxxxxxxxxx" 

Well yes, but possibly only on Windows machines.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba