Using UPN with mount.cifs?

Using UPN with mount.cifs?

[Till Dörges]

Hello everyone,


I'm wondering whether it is possible to use User Principal Names (UPN) instead of 
accountnames + workgroup/domain, when mounting a share with mount.cifs?


The man page for mount.cifs does not mention UPN. A quick grep through the latest 
sources (cifs-utils-7.4) doesn't mention UPN either.

Searching the ML in particular and the web in general came up emtpy, too.


So, is there a way to do it?


Thanks and regards -- Till

-- 
Dipl.-Inform. Till Dörges                  doerges@pre-sense.de

                                         www.pre-sense.de/fcknzs

PRESENSE Technologies GmbH             Nagelsweg 41, D-20097 HH
Geschäftsführer/Managing Director        AG Hamburg, HRB 107844
Till Dörges                              USt-IdNr.: DE263765024

Re: Using UPN with mount.cifs?

[Steve French]

This is an interesting question.

mount.cifs will pass it (the UPN) down to cifs.ko so it will get sent
on the wire, so behavior will vary by server.

I tried it to current Samba (passing "username=testuser" and also
"username=testuser@somedomain" and also for
"username=testuser,domain=somedomain") and it worked fine for all
three cases (with and without UPN, with and without "domain=").

Trying it to Windows though:
1) "username=testuser" worked
2) "username=testuser,domain=somedomain"  worked
3) "username=testuser@somedomain"  did not work to Windows server

So looks like the behavior varies by server, but safest way is to
specify the UPN as "username=" and "domain=" rather than
username=someuser@somedomain

On Mon, Jul 14, 2025 at 7:44 AM Till Dörges <doerges@pre-sense.de> wrote:
>
> Hello everyone,
>
>
> I'm wondering whether it is possible to use User Principal Names (UPN) instead of
> accountnames + workgroup/domain, when mounting a share with mount.cifs?
>
>
> The man page for mount.cifs does not mention UPN. A quick grep through the latest
> sources (cifs-utils-7.4) doesn't mention UPN either.
>
> Searching the ML in particular and the web in general came up emtpy, too.
>
>
> So, is there a way to do it?
>
>
> Thanks and regards -- Till
>
> --
> Dipl.-Inform. Till Dörges                  doerges@pre-sense.de
>
>                                          www.pre-sense.de/fcknzs
>
> PRESENSE Technologies GmbH             Nagelsweg 41, D-20097 HH
> Geschäftsführer/Managing Director        AG Hamburg, HRB 107844
> Till Dörges                              USt-IdNr.: DE263765024
>


-- 
Thanks,

Steve

Re: Using UPN with mount.cifs?

[Alexander Bokovoy]

On Пан, 14 ліп 2025, Steve French via samba-technical wrote:
> This is an interesting question.
> 
> mount.cifs will pass it (the UPN) down to cifs.ko so it will get sent
> on the wire, so behavior will vary by server.

Is this with GSSAPI krb5 or NTLMSSP?

For GSSAPI we either expect already existing credential or initialize it
from a keytab. In the first case cifs.upcall is not doing anything to
enable enteprise principal because it is not handling the initial ticket
acquisition. In the second case it doesn't do anything to mark the
client principal as an enteprise one.

The difference is by how that client principal is marked down in GSSAPI
negotiation. It needs two parts:

 - a client name should be an enterprise principal,
 - client code should make sure it sets a flag to accept rewrites of
   its own client principal name by the KDC in the returned ticket
   (principal canonicalization).

Neither is done by the cifs.upcall. More to that, for GSSAPI krb5 the
username passed to the cifs.upcall is pretty much ignored except for the
keytab initialization.

With NTLMSSP you don't really have 'enterprise principals', as it is up
to the SMB server to interpret the name you passed.

The client has nothing to indicate that. A server may consider
interpreting it as a local machine-provided one (username=testuser), or
consider to map it into the local one even if it has domain name
explicitly set (such as with IAKERB case on a standalone Windows).

> 
> I tried it to current Samba (passing "username=testuser" and also
> "username=testuser@somedomain" and also for
> "username=testuser,domain=somedomain") and it worked fine for all
> three cases (with and without UPN, with and without "domain=").
> 
> Trying it to Windows though:
> 1) "username=testuser" worked
> 2) "username=testuser,domain=somedomain"  worked
> 3) "username=testuser@somedomain"  did not work to Windows server
> 
> So looks like the behavior varies by server, but safest way is to
> specify the UPN as "username=" and "domain=" rather than
> username=someuser@somedomain
> 
> On Mon, Jul 14, 2025 at 7:44 AM Till Dörges <doerges@pre-sense.de> wrote:
> >
> > Hello everyone,
> >
> >
> > I'm wondering whether it is possible to use User Principal Names (UPN) instead of
> > accountnames + workgroup/domain, when mounting a share with mount.cifs?
> >
> >
> > The man page for mount.cifs does not mention UPN. A quick grep through the latest
> > sources (cifs-utils-7.4) doesn't mention UPN either.
> >
> > Searching the ML in particular and the web in general came up emtpy, too.
> >
> >
> > So, is there a way to do it?
> >
> >
> > Thanks and regards -- Till
> >
> > --
> > Dipl.-Inform. Till Dörges                  doerges@pre-sense.de
> >
> >                                          www.pre-sense.de/fcknzs
> >
> > PRESENSE Technologies GmbH             Nagelsweg 41, D-20097 HH
> > Geschäftsführer/Managing Director        AG Hamburg, HRB 107844
> > Till Dörges                              USt-IdNr.: DE263765024
> >
> 
> 
> -- 
> Thanks,
> 
> Steve
> 

-- 
/ Alexander Bokovoy

Re: Using UPN with mount.cifs?

[Till Dörges]

Hello,

thanks for your answers.

In our setup we use NTLMSSP and a NetApp.

If I understand you correctly, mount.cifs basically cannot use the UPN to 
authenticate - or at least not reliably.

Simply splitting up the UPN (<user>@<domain>) for mount.cifs doesn't work either, 
because the SAM account name has a different domain and also a different username scheme.

Is there a canonical way (with Linux) to map a given UPN to its SAM account name?

Thanks -- Till


On 15.07.25 07:59, Alexander Bokovoy wrote:
> On Пан, 14 ліп 2025, Steve French via samba-technical wrote:
>> This is an interesting question.
>>
>> mount.cifs will pass it (the UPN) down to cifs.ko so it will get sent
>> on the wire, so behavior will vary by server.
> 
> Is this with GSSAPI krb5 or NTLMSSP?
> 
> For GSSAPI we either expect already existing credential or initialize it
> from a keytab. In the first case cifs.upcall is not doing anything to
> enable enteprise principal because it is not handling the initial ticket
> acquisition. In the second case it doesn't do anything to mark the
> client principal as an enteprise one.
> 
> The difference is by how that client principal is marked down in GSSAPI
> negotiation. It needs two parts:
> 
>   - a client name should be an enterprise principal,
>   - client code should make sure it sets a flag to accept rewrites of
>     its own client principal name by the KDC in the returned ticket
>     (principal canonicalization).
> 
> Neither is done by the cifs.upcall. More to that, for GSSAPI krb5 the
> username passed to the cifs.upcall is pretty much ignored except for the
> keytab initialization.
> 
> With NTLMSSP you don't really have 'enterprise principals', as it is up
> to the SMB server to interpret the name you passed.
> 
> The client has nothing to indicate that. A server may consider
> interpreting it as a local machine-provided one (username=testuser), or
> consider to map it into the local one even if it has domain name
> explicitly set (such as with IAKERB case on a standalone Windows).
> 
>>
>> I tried it to current Samba (passing "username=testuser" and also
>> "username=testuser@somedomain" and also for
>> "username=testuser,domain=somedomain") and it worked fine for all
>> three cases (with and without UPN, with and without "domain=").
>>
>> Trying it to Windows though:
>> 1) "username=testuser" worked
>> 2) "username=testuser,domain=somedomain"  worked
>> 3) "username=testuser@somedomain"  did not work to Windows server
>>
>> So looks like the behavior varies by server, but safest way is to
>> specify the UPN as "username=" and "domain=" rather than
>> username=someuser@somedomain
>>
>> On Mon, Jul 14, 2025 at 7:44 AM Till Dörges <doerges@pre-sense.de> wrote:
>>>
>>> Hello everyone,
>>>
>>>
>>> I'm wondering whether it is possible to use User Principal Names (UPN) instead of
>>> accountnames + workgroup/domain, when mounting a share with mount.cifs?
>>>
>>>
>>> The man page for mount.cifs does not mention UPN. A quick grep through the latest
>>> sources (cifs-utils-7.4) doesn't mention UPN either.
>>>
>>> Searching the ML in particular and the web in general came up emtpy, too.
>>>
>>>
>>> So, is there a way to do it?
>>>
>>>
>>> Thanks and regards -- Till
>>>
>>> --
>>>                                           www.pre-sense.de/fcknzs
>>>
>>> PRESENSE Technologies GmbH             Nagelsweg 41, D-20097 HH
>>> Geschäftsführer/Managing Director        AG Hamburg, HRB 107844
>>> Till Dörges                              USt-IdNr.: DE263765024
>>>
>>
>>
>> -- 
>> Thanks,
>>
>> Steve
>>
> 
-- 
                                         www.pre-sense.de/fcknzs

PRESENSE Technologies GmbH             Nagelsweg 41, D-20097 HH
Geschäftsführer/Managing Director        AG Hamburg, HRB 107844
Till Dörges                              USt-IdNr.: DE263765024

Re: Using UPN with mount.cifs?

[Till Dörges]

On 16.07.25 19:28, Steve French wrote:

> but obviously it is better to resolve the upn to the correct domain and pass in the 
> domain

Which brings me back to the question, how to do this resolving under Linux? ;-)

Thanks and regards -- Till
-- 
                                         www.pre-sense.de/fcknzs

PRESENSE Technologies GmbH             Nagelsweg 41, D-20097 HH
Geschäftsführer/Managing Director        AG Hamburg, HRB 107844
Till Dörges                              USt-IdNr.: DE263765024