Question on Active Directory Authentication

Discussion:

Christian Lutz

2014-07-04 12:54:05 UTC

Hi everybody,

just one simple question regarding the authentication of users in the=20
mount options: Is it possible to authenticate a user with his=20
userPrincipalName attribute and a password or are there any more=20
dependencies to get this to work (i. e. krb5 or other security options)=
?

Example: mount -t cifs //server/share /mnt -o=20
username=3Dmy.upn.prefix-***@public.gmane.org,password=3DPASSWORD

The only working solution was with the default sAMAccountName Attribute=
=2E

Background:
We are building a new fileservice for Windows and Linux Clients. The=20
users are stored in Active Directory. The username (sAMAccountName) is =
a=20
random string created by the Server itself. The only login attribute th=
e=20
user knows is his UPN (which is also the mailaddress in our case).

Thanks in advance
Christian

--=20

Christian Lutz

Landeshauptstadt Muenchen
***@M - Dienstleister fuer Informations- und Telekommunikationstechnik
Gesch=E4ftsbereich Werkzeuge und Infrastruktur
Servicebereich Security und Netzwerkinfrastruktur
Serviceteam ID-Management
Komponentenverantwortlicher Active Directory

Buero: Herzog-Wilhelm-Stra=DFe 22, M=FCnchen
Postanschrift: Herzogspitalstr. 24, 80331 M=FCnchen

Telefon: +49 89 233-25596
=46ax.: +49 89 233-98925596
E-Mail: christian.lutz-***@public.gmane.org

--------------------------------------------------------------------
Elektronische Kommunikation mit der Landeshauptstadt Muenchen - siehe:
http://www.muenchen.de/ekomm
--------------------------------------------------------------------

Tobias Doerffel

2014-07-08 11:04:42 UTC

Permalink

Hi Christian,

you could indeed use krb5 authentication (and possibly in combination w=
ith the multiuser option) so you can build whatever mechanism you like =
for getting the required kerberos ticket for the user. Once you have t=
he ticket you should be able to access the shares independent of the ac=
count name specifications. You have to configure your AD server such th=
at it provides credentials for the UPN. Advantage: you don't have to de=
al with possible limitations in the CIFS implementation on the client s=
ide.

Best regards

Tobias Doerffel

-----Urspr=FCngliche Nachricht-----

Hi everybody,

just one simple question regarding the authentication of users in the m=
ount options: Is it possible to authenticate a user with his userPrinci=
palName attribute and a password or are there any more dependencies to =
get this to work (i. e. krb5 or other security options)?

Example: mount -t cifs //server/share /mnt -o username=3Dmy.upn.prefix@=
domain.name.tld,password=3DPASSWORD

The only working solution was with the default sAMAccountName Attribute=
=2E

Background:
We are building a new fileservice for Windows and Linux Clients. The us=
ers are stored in Active Directory. The username (sAMAccountName) is a =
random string created by the Server itself. The only login attribute th=
e user knows is his UPN (which is also the mailaddress in our case).

Thanks in advance
Christian

---------------------------------

--
Dipl.-Inf. Tobias Doerffel

-----------------------------------------------
EDC Electronic Design Chemnitz GmbH
Technologie-Campus 4, 09126 Chemnitz

Gesch=E4ftsf=FChrer: Dr.-Ing. Steffen Heinz
Dipl.-Ing. Andr=E9 Lange
Tel.: +49 371 52 45 90
=46ax.: +49 371 52 45 910
E-Mail: info-2LT3hlbiLj/X2ID+***@public.gmane.org

Sitz der Gesellschaft: Chemnitz
HRB 23986, Amtsgericht Chemnitz
USTID: DE258181725
-----------------------------------------------

Christian Lutz

2014-07-09 11:05:59 UTC

Permalink

Hi Tobias,

thanks for your answer.

Is this only possible with krb5 security or does any of the ntlm*=20
security options support this method?

Regards
Christian

Post by Tobias Doerffel
Hi Christian,
you could indeed use krb5 authentication (and possibly in combination=

with the multiuser option) so you can build whatever mechanism you lik=
e for getting the required kerberos ticket for the user. Once you have=
the ticket you should be able to access the shares independent of the =
account name specifications. You have to configure your AD server such =
that it provides credentials for the UPN. Advantage: you don't have to =
deal with possible limitations in the CIFS implementation on the client=
side.

Post by Tobias Doerffel
Best regards
Tobias Doerffel
-----Urspr=FCngliche Nachricht-----
Hi everybody,
just one simple question regarding the authentication of users in the=

mount options: Is it possible to authenticate a user with his userPrin=
cipalName attribute and a password or are there any more dependencies t=
o get this to work (i. e. krb5 or other security options)?

Post by Tobias Doerffel
Example: mount -t cifs //server/share /mnt -o username=3Dmy.upn.prefi=
The only working solution was with the default sAMAccountName Attribu=

te.

Post by Tobias Doerffel
We are building a new fileservice for Windows and Linux Clients. The =

users are stored in Active Directory. The username (sAMAccountName) is =
a random string created by the Server itself. The only login attribute =
the user knows is his UPN (which is also the mailaddress in our case).

Post by Tobias Doerffel
Thanks in advance
Christian
---------------------------------
--
Dipl.-Inf. Tobias Doerffel
-----------------------------------------------
EDC Electronic Design Chemnitz GmbH
Technologie-Campus 4, 09126 Chemnitz
Gesch=E4ftsf=FChrer: Dr.-Ing. Steffen Heinz
Dipl.-Ing. Andr=E9 Lange
Tel.: +49 371 52 45 90
Fax.: +49 371 52 45 910
Sitz der Gesellschaft: Chemnitz
HRB 23986, Amtsgericht Chemnitz
USTID: DE258181725
-----------------------------------------------

Tobias Doerffel

2014-07-09 11:13:56 UTC

Permalink

Hi Christian,

I never used the NTLM security options but I would guess that they woul=
dn't work that way as they still require usernames and passwords. Krb5 =
is the only security method where you can use an existing credential in=
formation in form of a Kerberos ticket.

Best regards

Tobias Doerffel

--
Dipl.-Inf. Tobias Doerffel

-----------------------------------------------
EDC Electronic Design Chemnitz GmbH
Technologie-Campus 4, 09126 Chemnitz

Gesch=E4ftsf=FChrer: Dr.-Ing. Steffen Heinz
Dipl.-Ing. Andr=E9 Lange
Tel.: +49 371 52 45 90
=46ax.: +49 371 52 45 910
E-Mail: info-2LT3hlbiLj/X2ID+***@public.gmane.org

Sitz der Gesellschaft: Chemnitz
HRB 23986, Amtsgericht Chemnitz
USTID: DE258181725
-----------------------------------------------

Christian Lutz

2014-07-16 07:43:26 UTC

Permalink

Hi Tobias,

this was the intention of my question because with other security=20
options it didn't work but we were searching for a method to so without=
=20
kerberos. In our deployment I would suggest to use kerberos but it's no=
t=20
easy to deploy a working configuration to 15.000 Linux Clients within=20
days (which is the actual problem).

Thanks for your hints.

Regards
Christian

Post by Tobias Doerffel
Hi Christian,
I never used the NTLM security options but I would guess that they wo=

uldn't work that way as they still require usernames and passwords. Krb=
5 is the only security method where you can use an existing credential =
information in form of a Kerberos ticket.

Post by Tobias Doerffel
Best regards
Tobias Doerffel
--
Dipl.-Inf. Tobias Doerffel
-----------------------------------------------
EDC Electronic Design Chemnitz GmbH
Technologie-Campus 4, 09126 Chemnitz
Gesch=E4ftsf=FChrer: Dr.-Ing. Steffen Heinz
Dipl.-Ing. Andr=E9 Lange
Tel.: +49 371 52 45 90
Fax.: +49 371 52 45 910
Sitz der Gesellschaft: Chemnitz
HRB 23986, Amtsgericht Chemnitz
USTID: DE258181725
-----------------------------------------------