#3925 Can't login with UPN if SAM names overlap
Closed: wontfix a year ago by pbrezina. Opened 2 years ago by lonevvolf.

I am currently experiencing an issue authenticating against an AD with the following user configuration (actual names changed, of course):
User1:
User logon name:
Firstname.Lastname@mydomain.onmicrosoft.com
User logon name (pre-Windows 2000):
MYDOMAIN\Firstname.Lastname (XX849239)

User2:
User logon name:
Firstname.Lastname@otherdomain.com
User logon name (pre-Windows 2000):
MYDOMAIN\Firstname.Lastname

Where the Firstname.Lastname are the same for both, and MYDOMAIN is the same for both.
I would like to login with User1 (Firstname.Lastname@mydomain.onmicrosoft.com).

When logging in to Windows with the UPN (Firstname.Lastname@mydomain.onmicrosoft.com), it works as expected. When logging into Red Hat, however, I have to use the SAM name (Firstname.Lastname (XX849239)) prefixed on the domain name (@mydomain.onmicrosoft.com), as follows:
Firstname.Lastname (XX849239)@mydomain.onmicrosoft.com
otherwise, it fails on the password check.

Is this a bug, or is there a way to configure the service to login correctly using the UPN?


Hi,

I'm afraid this is currently expected behavior.

When trying to figure out where and how to lookup a user with a given user name SSSD first splits the name in the user name and domain name component, so 'Firstname.Lastname' and 'mydomain.onmicrosoft.com'. With the AD provider it will then lookup the user with the sAMAccountName 'Firstname.Lastname' in the domain 'mydomain.onmicrosoft.com' which is User2 in your example.

Only if no user was was found this way SSSD will take the full input 'Firstname.Lastname@mydomain.onmicrosoft.com' and tries to find the name in the userPrincipalName attribute.

We took this order to make sure that the fully-qualified user name which is e.g. returned by the id command if SSSD is configured to return fully-qualified names, can be used to log in this user. And the fully-qualified name is by default 'sAMAccountName@AD.domain.name'.

bye,
Sumit

That's unfortunate, especially since the expected function (at least for me) is similar functionality to that of the Windows login. Thanks for the reply, in any case.

Metadata Update from @pbrezina:
- Issue tagged with: Canditate to close

a year ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4910

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata