Web lists-archives.com

Re: [Samba] Joining a DC, was (no subject)




On Sun, 3 Mar 2019 14:34:55 -0500
Jonathon Reinhart <jonathon.reinhart@xxxxxxxxx> wrote:

> I *think* we're all on the same page now. My suggestion was adding an
> additional entry to the UPN Suffixes list, and using that suffix
> (without "ad.") when creating new users.
> 
> This Microsoft doc [1] says:
> 
> > By convention, this should map to the user's email name. The point
> > of the UPN is to consolidate the email and logon namespaces so that
> > the user only needs to remember a single name.
> 
> If this doesn't work in Samba, that would be a major blow to my plans.

I personally have never had a reason to change a users UPN and if you
use samba-tool to create a user you will get a UPN in the form of
'username@REALM' where 'REALM' is the dns domain in uppercase.
Whilst you will be able to add multiple upnSuffixes attributes and they
will very probably work on Windows, I do not know if they will work on
a Samba DC or Unix domain member. Only further testing will prove this
one way or the other.
 
> 
> On Sun, Mar 3, 2019 at 9:11 AM Rowland Penny via samba
> <samba@xxxxxxxxxxxxxxx> wrote:
> [snip]
> > OK, I will hold my hand up, I misread his blog :-(
> > To be honest I just skimmed it and missed that he was adding a UPN
> > suffix and not changing the UPN.
> 
> I'm not sure what is meant by the phrase "change the UPN".

As far has I am concerned 'UPN' is shorthand for the userPrincipalName
attribute.

> In
> particular, the use of the word "the" implies that there is only a
> single UPN to be changed. That doesn't make sense; the UPN is an
> attribute of the User class, so every user has a UPN which could be
> changed (but never should).

Yes, totally agree the UPN should never be changed and by 'the' I meant
'a users UPN'.

> 
> > I think he needs to make it a bit more obvious ;-)
> 
> I'll assume you're being sarcastic :-)  I was very careful when
> writing that to always say "UPN Suffix" and never just "UPN".

I totally missed it, that is all I can say.

> 
> > >Isn't he right to ask, "why not?"
> >
> > Yes.
> >
> > > Are people trying to say that the upnSuffix attribute doesn't
> > > work in SAMBA like Microsoft says it should in a Windows AD DC?
> >
> > I do not know, I have never tried them, but this could be one of
> > those things (from a Samba point of view) where the code doesn't
> > exist for it to work on a Samba DC, they should work on Windows
> > machines.
> >
> > >The suffix should allow a logon of "user@xxxxxxxxxx" even if the AD
> > >domain is "abc.domain.com" and the UPN is therefore
> > >"user@xxxxxxxxxxxxxx"
> >
> > Well yes, but possibly only on Windows machines.
> 
> I've tested this with a Windows 7 client machine, and it worked as
> expected. How can we test this for non-Windows machines? Where can I
> enter "user@xxxxxxxxxxx" for a domain named "ad.example.com" and
> confirm that things work as expected? In other words, how would one
> go about discovering a potential Samba deficiency (compared to
> Windows) in this regard?
> 
> I see one reference to uPNSuffixes in source4 [2], and it appears that
> the 'net' command even appears to support provide an --add-upn-suffix
> option [3].

Not sure how to test this either, but I will look into it.

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba