Samba: map untrusted to domain

Steven Danneman steven.danneman at isilon.com
Mon Jan 4 11:07:23 MST 2010 

Hello Tom,

They necessity of the "map untrusted to domain" parameter is mentioned in the 3.4.0 release notes, though I admit unless you were looking at this specific release this information would be hard to find:

Authentication Changes
======================

Previously, when Samba was a domain member and a client was connecting using an
untrusted domain name, such as BOGUS\user smbd would remap the untrusted
domain to the primary domain smbd was a member of and attempt authentication
using that DOMAIN\user name.  This differed from how a Windows member server
would behave.  Now, smbd will replace the BOGUS name with it's SAM name.  In
the case where smbd is acting as a PDC this will be DOMAIN\user.  In the case
where smbd is acting as a domain member server this will be WORKSTATION\user.
Thus, smbd will never assume that an incoming user name which is not qualified
with the same primary domain, is part of smbd's primary domain.

While this behavior matches Windows, it may break some workflows which depended
on smbd to always pass through bogus names to the DC for verification.  A new
parameter "map untrusted to domain" can be enabled to revert to the legacy
behavior.

======================

Though, in the original change, I missed the NULL/empty domain case.  This is now fixed in 3.4.3 for sure:

commit fbca26923915a70031f561b198cfe2cc0d9c3aa6
Author: Steven Danneman <steven.danneman at isilon.com>
Date:   Wed May 27 17:14:49 2009 -0700

    s3/auth map NULL domains to our global sam name

    This is an addendum to d8c54fdd, which made make_user_info_map() match
    Windows behavior by mapping untrusted domains given to smbd on the wire
    with the users credentials to smbd's global sam name.

    This fix was being circumvented in the case where the client passed
    a NULL domain.  Vista clients do this.  In that case smbd was always
    remapping the name to the machine workgroup.  The NULL domain case
    should also be mapped to the global sam name.

    Removing the code in this patch, causes us to fall down to the logic
    added in d8c54fdd and properly map the domain.

======================

I can tell you that DOS clients get little to no testing, so I thank you for brining this to our attention.

-Steven

> -----Original Message-----
> From: Thomas Sailer [mailto:t.sailer at alumni.ethz.ch]
> Sent: Monday, January 04, 2010 6:58 AM
> To: Steven Danneman
> Subject: Samba: map untrusted to domain
> 
> Hi Steven,
> 
> according to the samba git you added the "map untrusted to domain"
> parameter to samba. What was the reason for this change in behaviour?
> 
> It was quite unexpected for me. I (still) have DOS machines running the
> Microsoft Client connecting to the Samba server (the server is a domain
> member server). The DOS clients connect using an empty domain name and
> expect to get DOMAIN\user, but now get WORKSTATION\user.
> 
> Should empty domain names be treated differently?
> 
> Or at least mentioning in the docs that this parameter needs to be set
> for DOS clients may prevent some debugging...
> 
> Thanks,
> Tom

More information about the samba-technical mailing list