Mapping workstation\user to domain\user incorrectly?

Steven Danneman steven.danneman at
Fri Sep 21 00:25:47 GMT 2007

Hello All,

I'm having an authentication problem in Samba 3.0.24 and have some
questions about an implementation decision.

Let me first explain my setup.  I have a Win2K3 domain 2K3D, a Samba
server acting as a domain member, and a Win2K3 client in its own

W2K3Client ----> Samba Domain Member ----> Win2K3 DC

There exists a domain user "testuser" and on the client machine there
exists a local user with the same name.

On the W2K3Client I am logged in as the local user W2K3Client\testuser
and I attempt to access a share on the Samba server using Windows
Explorer and the UNC path \\SambaDM\share.

Now I expect my default W2K3Client\testuser credentials to be used, fail
against the Samba server because W2K3Client is not recognized as a
trusted domain, and then be prompted for proper credentials by Windows

What actually happens is Samba realizes it can't recognize the
W2K3Client domain, changes the domain to that which it's a member of
2K3D, then attempts to authenticate against the DC, but fails because
the password is incorrect.  Furthermore the domain has a lockout
password policy after 5 bad attempts, which is met in a single UNC
access attempt.

I've traced this behavior to auth/auth.c:make_user_info_map() which
purposefully converts the domain with the comment:

/* do what win2k does.  Always map unknown domains to our own
   and let the "passdb backend" handle unknown users. */

I've attempted to recreate this myself using a Win2K server in place of
Samba with the same domain and client, but in those cases Win2K does not
change the given domain, but instead realizes that W2K3Client is not a
trusted domain and returns STATUS_TRUSTED_RELATIONSHIP_FAILURE. 

Does anyone know/remember the configuration where a Win2K file server
will act this way?  For the moment this seems like incorrect behavior to
me because of the local user/domain user conflict demonstrated.


Steven Danneman |  Software Developer
Isilon Systems    P +1-206-315-7500    F +1-206-315-7485    

How breakthroughs begin.(tm)

More information about the samba-technical mailing list