Usernames with spaces unable to login to Ubuntu machine joined to Windows AD domain

Researcher007

New Member
Joined
Jun 23, 2022
Messages
4
Reaction score
0
Credits
55
We are having an Ubuntu 20.04 LTS (server) machine which has been connected to the Windows AD domain. The machine is able to fetch the list of all users in the AD domain using 'getent passwd' command, and our hosts file is configured as below:

127.0.0.1 localhost
127.0.0.1 OurDomainName
(our Domain controller address) OurDomainName.in

However, the users having a space in their Windows Account usernames (for example, 'Charles B') are not able to login to the Ubuntu machine, even after modifying the NAME_REGEX to allow 'bad usernames'. There is no issue for the users who do not have space in the usernames and they are able to login normally. We are getting an impression that even after adding the Ubuntu machine to a Windows domain, the Linux policy is somehow overriding the Windows domain policy that has no problems with spaces in usernames.

We have tried enclosing the usernames in double quotes("), single quotes, adding escape sequence instead of space but did not work. Also tried using 'DOMAIN\Firstname Lastname' and "DOMAIN\Firstname Lastname" also but did not work.

Is there any way users with space in their Windows usernames can login to an Ubuntu machine joined to a Windows AD domain? We would like to know whether this is a general Linux built-in setting/behaviour.

Our configuration is as below:
Netplan: (DC address) along with Google DNS
AD: Kerberos Authentication enabled.
We have setup auto-home directory creation for new users in Ubuntu machine.
Our LDAP config is as below:
{BASE dc=(our DC name),dc=in
URI ldap=//(DC IP address)}
Windows AD server: we have enabled the setting 'Trust the computer for delegation in any service.

EDIT 23.6.22:
We also tried escaping the spaces like 'DOMAIN\Firstname/ Lastname' and "DOMAIN\Firstname/ Lastname" but did not work.

EDIT 29.6.22:
We have modified our smb.conf to include the following:
idmap config OURDOMAIN : backend = ad
idmap config OURDOMAIN : schema_mode = rfc2307
idmap config OURDOMAIN : range = 10000-999999
idmap config OURDOMAIN : unix_nss_info = yes

winbind use default domain = true
winbind nss info = rfc2307
 
Last edited:


I have never in my life even with Windows domains seen a username with a space in it, it's generally not a good idea to use spaces in usernames because of the following reasons and because os's other than Windows generally have a different idea about spaces.
You could try doing the following.
1. Add the following to /etc/sssd/sssd.conf under [sssd] , so that it looks like this.
Code:
[sssd] services = nss, pam, ifp, ssh, sudo
override_space = _
2. Clear the sss cache and restart sssd
Code:
rm -rf /var/lib/sss/db/*
systemctl restart sssd
The end result would look like this.
Code:
[root@lab-idm1 ~]# id "John [email protected]"
uid=830802112([email protected]) gid=830802112([email protected]) groups=830802112([email protected]),830800513([email protected])
However I tested on an IDM server with a trust to an AD so not the exact same situation but there it does seem to recognize usernames with spaces in the AD.
Code:
[root@lab-idm1 ~]# id "John [email protected]"
uid=830802102(john [email protected]) gid=830802102(john [email protected]) groups=830802102(john [email protected]),830800513(domain [email protected])
So if adding the changes the sssd configuration doesn't work for you, the other option would be to setup idm and have the idm server create a trust with the AD server. IDM is based of the opensource project freeipa so you would have to install that when using Ubuntu.
Also it's not helpful to ask the same question on different websites.
 
Last edited:
Also it's not helpful to ask the same question on different websites.

Nice catch.

The OP could do well to close the thread at serverfault.com if he has no further use for it.

Wizard
 
usernames because of the following reasons and because os's other than Windows generally have a different idea abou
We have deleted the question posted in serverfault & askubuntu forums as you have suggested.

We shall try the steps mentioned in your answer and get back with an update.

EDIT:

We are trying using both SSH and GUI login methods and it is failing.
In our case, using the id command works and recognizes the AD account, but the issue we are having is with logging in , for example, with 'su' command.

The sample output in our machine is as follows:

machine@LINUX:~$ id "firstname lastname"
uid=10001(firstname lastname) gid=10002(example) groups=10003(example)
machine@LINUX:~$ su "firstname lastname"
Password:

<here it accepts the correct password but doesn't login. username still shows as machine. The same issue if we use it with domain, ex: su "DOMAIN\firstname lastname". If we use incorrect password, it says authentication failure, which means it recognizes but doesn't allow to login.>
 
Last edited:
I misunderstood you then, I came across something that I forgot.
The schema extensions outlined in RFC 2307 define a method for exchanging UNIX ID
attributes using LDAP. These extensions are required to allow Red Hat Enterprise Linux 6
systems to integrate with Active Directory domains using LDAP
Meaning if you did a realm join you are going to have to fill out RFC 2307 attributes(uid, gid, shell, homedir,etc.) for the users who need to log into a Linux system. From your original post I got the impression you did a realm join, so I would look into that?
 
Last edited:
I misunderstood you then, I came across something that I forgot.

Meaning if you did a realm join you are going to have to fill out RFC 2307 attributes(uid, gid, shell, homedir,etc.) for the users who need to log into a Linux system. From your original post I got the impression you did a realm join, so I would look into that?
Thanks for your response, we shall check on filling the attributes you suggested and come back with an update. We have done a realm join to our AD domain.
 
We have tried to check and fill the RFC2307 attributes, but we are not sure where to get the uid, gid, shell, homedir,etc values from. For example, if the 'id' command for a username gives us the values, then filling the user's AD attributes with the same values does not seem to work. (We have referred these articles for ideas).

Please check the edited 'smb.conf' file changes in the question above and suggest the method to get the RFC2307 values.
 


Latest posts

Top