Samba: map untrusted to domain
steven.danneman at isilon.com
Mon Jan 4 11:07:23 MST 2010
They necessity of the "map untrusted to domain" parameter is mentioned in the 3.4.0 release notes, though I admit unless you were looking at this specific release this information would be hard to find:
Previously, when Samba was a domain member and a client was connecting using an
untrusted domain name, such as BOGUS\user smbd would remap the untrusted
domain to the primary domain smbd was a member of and attempt authentication
using that DOMAIN\user name. This differed from how a Windows member server
would behave. Now, smbd will replace the BOGUS name with it's SAM name. In
the case where smbd is acting as a PDC this will be DOMAIN\user. In the case
where smbd is acting as a domain member server this will be WORKSTATION\user.
Thus, smbd will never assume that an incoming user name which is not qualified
with the same primary domain, is part of smbd's primary domain.
While this behavior matches Windows, it may break some workflows which depended
on smbd to always pass through bogus names to the DC for verification. A new
parameter "map untrusted to domain" can be enabled to revert to the legacy
Though, in the original change, I missed the NULL/empty domain case. This is now fixed in 3.4.3 for sure:
Author: Steven Danneman <steven.danneman at isilon.com>
Date: Wed May 27 17:14:49 2009 -0700
s3/auth map NULL domains to our global sam name
This is an addendum to d8c54fdd, which made make_user_info_map() match
Windows behavior by mapping untrusted domains given to smbd on the wire
with the users credentials to smbd's global sam name.
This fix was being circumvented in the case where the client passed
a NULL domain. Vista clients do this. In that case smbd was always
remapping the name to the machine workgroup. The NULL domain case
should also be mapped to the global sam name.
Removing the code in this patch, causes us to fall down to the logic
added in d8c54fdd and properly map the domain.
I can tell you that DOS clients get little to no testing, so I thank you for brining this to our attention.
> -----Original Message-----
> From: Thomas Sailer [mailto:t.sailer at alumni.ethz.ch]
> Sent: Monday, January 04, 2010 6:58 AM
> To: Steven Danneman
> Subject: Samba: map untrusted to domain
> Hi Steven,
> according to the samba git you added the "map untrusted to domain"
> parameter to samba. What was the reason for this change in behaviour?
> It was quite unexpected for me. I (still) have DOS machines running the
> Microsoft Client connecting to the Samba server (the server is a domain
> member server). The DOS clients connect using an empty domain name and
> expect to get DOMAIN\user, but now get WORKSTATION\user.
> Should empty domain names be treated differently?
> Or at least mentioning in the docs that this parameter needs to be set
> for DOS clients may prevent some debugging...
More information about the samba-technical