Re: Using UPN with mount.cifs?

[Alexander Bokovoy <ab@samba.org>]

On Пан, 14 ліп 2025, Steve French via samba-technical wrote:
> This is an interesting question.
> 
> mount.cifs will pass it (the UPN) down to cifs.ko so it will get sent
> on the wire, so behavior will vary by server.

Is this with GSSAPI krb5 or NTLMSSP?

For GSSAPI we either expect already existing credential or initialize it
from a keytab. In the first case cifs.upcall is not doing anything to
enable enteprise principal because it is not handling the initial ticket
acquisition. In the second case it doesn't do anything to mark the
client principal as an enteprise one.

The difference is by how that client principal is marked down in GSSAPI
negotiation. It needs two parts:

 - a client name should be an enterprise principal,
 - client code should make sure it sets a flag to accept rewrites of
   its own client principal name by the KDC in the returned ticket
   (principal canonicalization).

Neither is done by the cifs.upcall. More to that, for GSSAPI krb5 the
username passed to the cifs.upcall is pretty much ignored except for the
keytab initialization.

With NTLMSSP you don't really have 'enterprise principals', as it is up
to the SMB server to interpret the name you passed.

The client has nothing to indicate that. A server may consider
interpreting it as a local machine-provided one (username=testuser), or
consider to map it into the local one even if it has domain name
explicitly set (such as with IAKERB case on a standalone Windows).

> 
> I tried it to current Samba (passing "username=testuser" and also
> "username=testuser@somedomain" and also for
> "username=testuser,domain=somedomain") and it worked fine for all
> three cases (with and without UPN, with and without "domain=").
> 
> Trying it to Windows though:
> 1) "username=testuser" worked
> 2) "username=testuser,domain=somedomain"  worked
> 3) "username=testuser@somedomain"  did not work to Windows server
> 
> So looks like the behavior varies by server, but safest way is to
> specify the UPN as "username=" and "domain=" rather than
> username=someuser@somedomain
> 
> On Mon, Jul 14, 2025 at 7:44 AM Till Dörges <doerges@pre-sense.de> wrote:
> >
> > Hello everyone,
> >
> >
> > I'm wondering whether it is possible to use User Principal Names (UPN) instead of
> > accountnames + workgroup/domain, when mounting a share with mount.cifs?
> >
> >
> > The man page for mount.cifs does not mention UPN. A quick grep through the latest
> > sources (cifs-utils-7.4) doesn't mention UPN either.
> >
> > Searching the ML in particular and the web in general came up emtpy, too.
> >
> >
> > So, is there a way to do it?
> >
> >
> > Thanks and regards -- Till
> >
> > --
> > Dipl.-Inform. Till Dörges                  doerges@pre-sense.de
> >
> >                                          www.pre-sense.de/fcknzs
> >
> > PRESENSE Technologies GmbH             Nagelsweg 41, D-20097 HH
> > Geschäftsführer/Managing Director        AG Hamburg, HRB 107844
> > Till Dörges                              USt-IdNr.: DE263765024
> >
> 
> 
> -- 
> Thanks,
> 
> Steve
> 

-- 
/ Alexander Bokovoy