Question on Active Directory Authentication

Question on Active Directory Authentication

[Christian Lutz]

Hi everybody,

just one simple question regarding the authentication of users in the 
mount options: Is it possible to authenticate a user with his 
userPrincipalName attribute and a password or are there any more 
dependencies to get this to work (i. e. krb5 or other security options)?

Example: mount -t cifs //server/share /mnt -o 
username=my.upn.prefix-d7gQ9grfmP4pBLzJVN3leg@public.gmane.org,password=PASSWORD

The only working solution was with the default sAMAccountName Attribute.

Background:
We are building a new fileservice for Windows and Linux Clients. The 
users are stored in Active Directory. The username (sAMAccountName) is a 
random string created by the Server itself. The only login attribute the 
user knows is his UPN (which is also the mailaddress in our case).


Thanks in advance
Christian

-- 

Christian Lutz

Landeshauptstadt Muenchen
it@M - Dienstleister fuer Informations- und Telekommunikationstechnik
Geschäftsbereich Werkzeuge und Infrastruktur
Servicebereich Security und Netzwerkinfrastruktur
Serviceteam ID-Management
Komponentenverantwortlicher Active Directory

Buero: Herzog-Wilhelm-Straße 22, München
Postanschrift: Herzogspitalstr. 24, 80331 München

Telefon: +49 89 233-25596
Fax.: +49 89 233-98925596
E-Mail:	christian.lutz-EnyPcy3oyxIb1SvskN2V4Q@public.gmane.org

--------------------------------------------------------------------
Elektronische Kommunikation mit der Landeshauptstadt Muenchen - siehe:
http://www.muenchen.de/ekomm
--------------------------------------------------------------------

AW: Question on Active Directory Authentication

[Tobias Doerffel]

Hi Christian,

you could indeed use krb5 authentication (and possibly in combination with the multiuser option) so you can build whatever mechanism you like for getting the required kerberos ticket for the user.  Once you have the ticket you should be able to access the shares independent of the account name specifications. You have to configure your AD server such that it provides credentials for the UPN. Advantage: you don't have to deal with possible limitations in the CIFS implementation on the client side.

Best regards

Tobias Doerffel


-----Ursprüngliche Nachricht-----

Hi everybody,

just one simple question regarding the authentication of users in the mount options: Is it possible to authenticate a user with his userPrincipalName attribute and a password or are there any more dependencies to get this to work (i. e. krb5 or other security options)?

Example: mount -t cifs //server/share /mnt -o username=my.upn.prefix@domain.name.tld,password=PASSWORD

The only working solution was with the default sAMAccountName Attribute.

Background:
We are building a new fileservice for Windows and Linux Clients. The users are stored in Active Directory. The username (sAMAccountName) is a random string created by the Server itself. The only login attribute the user knows is his UPN (which is also the mailaddress in our case).


Thanks in advance
Christian

---------------------------------



--
Dipl.-Inf. Tobias Doerffel

-----------------------------------------------
EDC Electronic Design Chemnitz GmbH
Technologie-Campus 4, 09126 Chemnitz

Geschäftsführer: Dr.-Ing. Steffen Heinz
                 Dipl.-Ing. André Lange
Tel.:            +49 371 52 45 90
Fax.:            +49 371 52 45 910
E-Mail:          info-2LT3hlbiLj/X2ID+q72mRQ@public.gmane.org

Sitz der Gesellschaft: Chemnitz
HRB 23986, Amtsgericht Chemnitz
USTID: DE258181725
-----------------------------------------------

Re: Question on Active Directory Authentication

[Christian Lutz]

Hi Tobias,

thanks for your answer.

Is this only possible with krb5 security or does any of the ntlm* 
security options support this method?

Regards
Christian


Am 08.07.2014 13:04, schrieb Tobias Doerffel:
> Hi Christian,
>
> you could indeed use krb5 authentication (and possibly in combination with the multiuser option) so you can build whatever mechanism you like for getting the required kerberos ticket for the user.  Once you have the ticket you should be able to access the shares independent of the account name specifications. You have to configure your AD server such that it provides credentials for the UPN. Advantage: you don't have to deal with possible limitations in the CIFS implementation on the client side.
>
> Best regards
>
> Tobias Doerffel
>
>
> -----Ursprüngliche Nachricht-----
>
> Hi everybody,
>
> just one simple question regarding the authentication of users in the mount options: Is it possible to authenticate a user with his userPrincipalName attribute and a password or are there any more dependencies to get this to work (i. e. krb5 or other security options)?
>
> Example: mount -t cifs //server/share /mnt -o username=my.upn.prefix@domain.name.tld,password=PASSWORD
>
> The only working solution was with the default sAMAccountName Attribute.
>
> Background:
> We are building a new fileservice for Windows and Linux Clients. The users are stored in Active Directory. The username (sAMAccountName) is a random string created by the Server itself. The only login attribute the user knows is his UPN (which is also the mailaddress in our case).
>
>
> Thanks in advance
> Christian
>
> ---------------------------------
>
>
>
> --
> Dipl.-Inf. Tobias Doerffel
>
> -----------------------------------------------
> EDC Electronic Design Chemnitz GmbH
> Technologie-Campus 4, 09126 Chemnitz
>
> Geschäftsführer: Dr.-Ing. Steffen Heinz
>                   Dipl.-Ing. André Lange
> Tel.:            +49 371 52 45 90
> Fax.:            +49 371 52 45 910
> E-Mail:          info-2LT3hlbiLj/X2ID+q72mRQ@public.gmane.org
>
> Sitz der Gesellschaft: Chemnitz
> HRB 23986, Amtsgericht Chemnitz
> USTID: DE258181725
> -----------------------------------------------
>
>

AW: Question on Active Directory Authentication

[Tobias Doerffel]

Hi Christian,

I never used the NTLM security options but I would guess that they wouldn't work that way as they still require usernames and passwords. Krb5 is the only security method where you can use an existing credential information in form of a Kerberos ticket.

Best regards

Tobias Doerffel


--
Dipl.-Inf. Tobias Doerffel

-----------------------------------------------
EDC Electronic Design Chemnitz GmbH
Technologie-Campus 4, 09126 Chemnitz

Geschäftsführer: Dr.-Ing. Steffen Heinz
                 Dipl.-Ing. André Lange
Tel.:            +49 371 52 45 90
Fax.:            +49 371 52 45 910
E-Mail:          info-2LT3hlbiLj/X2ID+q72mRQ@public.gmane.org

Sitz der Gesellschaft: Chemnitz
HRB 23986, Amtsgericht Chemnitz
USTID: DE258181725
-----------------------------------------------

Re: Question on Active Directory Authentication

[Christian Lutz]

Hi Tobias,

this was the intention of my question because with other security 
options it didn't work but we were searching for a method to so without 
kerberos. In our deployment I would suggest to use kerberos but it's not 
easy to deploy a working configuration to 15.000 Linux Clients within 
days (which is the actual problem).

Thanks for your hints.

Regards
Christian


Am 09.07.2014 13:13, schrieb Tobias Doerffel:
> Hi Christian,
>
> I never used the NTLM security options but I would guess that they wouldn't work that way as they still require usernames and passwords. Krb5 is the only security method where you can use an existing credential information in form of a Kerberos ticket.
>
> Best regards
>
> Tobias Doerffel
>
>
> --
> Dipl.-Inf. Tobias Doerffel
>
> -----------------------------------------------
> EDC Electronic Design Chemnitz GmbH
> Technologie-Campus 4, 09126 Chemnitz
>
> Geschäftsführer: Dr.-Ing. Steffen Heinz
>                   Dipl.-Ing. André Lange
> Tel.:            +49 371 52 45 90
> Fax.:            +49 371 52 45 910
> E-Mail:          info-2LT3hlbiLj/X2ID+q72mRQ@public.gmane.org
>
> Sitz der Gesellschaft: Chemnitz
> HRB 23986, Amtsgericht Chemnitz
> USTID: DE258181725
> -----------------------------------------------
>
>