s3: Added new parameter "map untrusted to domain"

When enabled this reverts smbd to the legacy domain remapping behavior when
a user provides an untrusted domain

This partially reverts d8c54fdd

1 files changed, 21 insertions, 2 deletions

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 65d226cfc2..066f718999 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -10,8 +10,27 @@ system at https://bugzilla.samba.org/.
 
 Major enhancements in Samba 3.4.0 include:
 
-o
-
+Authentication Changes:
+o Changed the way smbd handles untrusted domain names given during user
+  authentication
+
+Authentication Changes
+======================
+
+Previously, when Samba was a domain member and a client was connecting using an
+untrusted domain name, such as BOGUS\user smbd would remap the untrusted
+domain to the primary domain smbd was a member of and attempt authentication
+using that DOMAIN\user name.  This differed from how a Windows member server
+would behave.  Now, smbd will replace the BOGUS name with it's SAM name.  In
+the case where smbd is acting as a PDC this will be DOMAIN\user.  In the case
+where smbd is acting as a domain member server this will be WORKSTATION\user.
+Thus, smbd will never assume that an incoming user name which is not qualified
+with the same primary domain, is part of smbd's primary domain.
+
+While this behavior matches Windows, it may break some workflows which depended
+on smbd to always pass through bogus names to the DC for verification.  A new
+parameter "map untrusted to domain" can be enabled to revert to the legacy
+behavior.
 
 ######################################################################
 Reporting bugs & Development Discussion