Bug 8078 - support for UPN names in lookup_name to reduce bogous passdb backend lookups
support for UPN names in lookup_name to reduce bogous passdb backend lookups
Status: NEW
Product: Samba 3.5
Classification: Unclassified
Component: User & Group Accounts
All All
: P5 enhancement
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2011-04-12 10:30 UTC by Arvid Requate
Modified: 2011-04-12 10:41 UTC (History)
1 user (show)

See Also:

log.smbd at log level 10 (580.73 KB, text/plain)
2011-04-12 10:30 UTC, Arvid Requate
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate 2011-04-12 10:30:54 UTC
Created attachment 6400 [details]
log.smbd at log level 10

A customer reported an increased load on the LDAP passdb backend which seems to be triggered by Windows XPSP3 clients trying to authenticate by UPN. While it remains unclear which client component causes these authentication attempts by UPN, the customer provided patch seems reasonably non-invasive to propose upstream merge.

The resulting failure of lsa_LookupNames2 to resolve the username by UPN causes samba to try different interpretations of the UPN (see attached smbd log), e.g. to resolve the UPN as trusted domain (ldapsam_get_trusteddom_pw). The customer provided a patch for passdb/lookup_sid.c:(lookup_name) resolving UPN to domain\username, which fixes the lookup and reduced the load on the LDAP passdb backend considerably.

The customer setup is a standard Univention Corporate Server 2.4-0 configuration, i.e. security = domain with openldap 2.4.23 passdb backend. smb.conf can be supplied if needed.
Comment 1 Arvid Requate 2011-04-12 10:33:30 UTC
Patch: https://forge.univention.org/bugzilla/attachment.cgi?id=3157