[Samba] 3.5.5, ADS mode, user authentication syntax

Nick Dugan nddugan at live.com
Tue Jul 19 15:57:41 MDT 2011

I'm in the process of migrating a samba server from Solaris 10 (running 3.0.37) to Solaris 11 Express (running 3.5.5). 
The system is joined to a Win2k3 Active Directory. Migrating the configuration worked fine, the shares are available and everything mostly works as intended. 
The problem we're having is with the syntax of authentication requests from Windows client machines. On the old server, users could provide credentials using either of two formats: "user at domain.com", or "DOMAIN\user". After migrating to the new system, only "DOMAIN\user" is accepted as valid. using the other method results in the following:
  check_ntlm_password:  Authentication for user [user at domain.com] -> [user at domain.com] FAILED with error NT_STATUS_NO_SUCH_USER

I've experimented a bit with a username map script, but gather from the documentation that this won't have the desired effect in ADS mode as it is processed AFTER the initial authentication. 
Of course, we have lots of documentation and a couple hundred users that are trained to use "user at domain.com" as their username. 

My question is, has this behavior deliberately changed in more modern versions of Samba, or am I missing a piece of the configuration somewhere? Any pointers in the right direction would be most appreciated. smb.conf pasted below.
#======================= Global Settings =======================
## Browsing/Identification ###
   workgroup = SUBDOM   security = ads   encrypt passwords = true   realm = SUBDOM.DOMAIN.COM   obey pam restrictions = yes   posix locking = no   unix extensions = no   nt acl support = no

####### Authentication #######
# "security = user" is always a good idea. This will require a Unix account# in this server for every user accessing the server. See# /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc# package for details.#   security = user
# You may wish to use password encryption.  See the section on# 'encrypt passwords' in the smb.conf(5) manpage before enabling.#   encrypt passwords = true
# If you are using encrypted passwords, Samba will need to know what# password database type you are using.     passdb backend = tdbsam 
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#======================= Share Definitions =======================
[homes]   comment = Home Directories   browseable = no   vfs objects = zfsacl   follow symlinks = yes   wide links = yes   map readonly = Permissions   map system = no   map archive = no   writable = yes   create mask = 0644   directory mask = 0755   valid users = %S

More information about the samba mailing list