The Samba-Bugzilla – Bug 8078
support for UPN names in lookup_name to reduce bogous passdb backend lookups
Last modified: 2011-04-12 10:41:09 UTC
Created attachment 6400 [details]
log.smbd at log level 10
A customer reported an increased load on the LDAP passdb backend which seems to be triggered by Windows XPSP3 clients trying to authenticate by UPN. While it remains unclear which client component causes these authentication attempts by UPN, the customer provided patch seems reasonably non-invasive to propose upstream merge.
The resulting failure of lsa_LookupNames2 to resolve the username by UPN causes samba to try different interpretations of the UPN (see attached smbd log), e.g. to resolve the UPN as trusted domain (ldapsam_get_trusteddom_pw). The customer provided a patch for passdb/lookup_sid.c:(lookup_name) resolving UPN to domain\username, which fixes the lookup and reduced the load on the LDAP passdb backend considerably.
The customer setup is a standard Univention Corporate Server 2.4-0 configuration, i.e. security = domain with openldap 2.4.23 passdb backend. smb.conf can be supplied if needed.