domain\username requirements and 'map untrusted to domain'

Andrew Bartlett abartlet at
Tue May 4 15:52:51 UTC 2021

On Tue, 2021-05-04 at 16:43 +0800, d tbsky via samba-technical wrote:
> I am sorry but today a user ask me again why our samba service need
> "samdom\account" to access.
> that's issue but of
> course I told him that's Microsoft's fault.
> it's interesting that many of our services are using ldap to
> authenticate against samba DC, and all of them can use
> "account/password" to login.
> only samba file server need "samdom\account" to login.
> maybe new developer has some new magic thought which would solve it
> in
> a blink of an eye/finger...

I don't think you understand the purpose of introducing a new
developer, but regardless I would note that you are welcome to try the
suggested change on the bug and report your success or otherwise there.

This may influence us in changing the behaviour here, but note that any
such change would also need tests (to ensure it works and keeps
working).  Your Samba commercial support provider may be able to assist
if you are not confident writing those.

The primary blocker is the cryptographic behaviour of NTLMv2, which
means we can't change the domain on the domain member server, because
the domain is part of the password hash calculation.

Direct LDAP users do not suffer in this way because the plaintext
password is communicated to the DC and most LDAP applications make
assumptions about the username and convert into a DN (otherwise
domain\user or user at REALM is required).

I hope this assists,

Andrew Bartlett

Andrew Bartlett (he/him)
Samba Team Member (since 2001)
Samba Team Lead, Catalyst IT

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list