From 5cd4b7b7c03df6e896186d985b6858a06aa40b3f Mon Sep 17 00:00:00 2001 From: Steven Danneman Date: Thu, 12 Feb 2009 13:01:45 -0800 Subject: s3: Added new parameter "map untrusted to domain" When enabled this reverts smbd to the legacy domain remapping behavior when a user provides an untrusted domain This partially reverts d8c54fdd --- WHATSNEW.txt | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) (limited to 'WHATSNEW.txt') diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 65d226cfc2..066f718999 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -10,8 +10,27 @@ system at https://bugzilla.samba.org/. Major enhancements in Samba 3.4.0 include: -o - +Authentication Changes: +o Changed the way smbd handles untrusted domain names given during user + authentication + +Authentication Changes +====================== + +Previously, when Samba was a domain member and a client was connecting using an +untrusted domain name, such as BOGUS\user smbd would remap the untrusted +domain to the primary domain smbd was a member of and attempt authentication +using that DOMAIN\user name. This differed from how a Windows member server +would behave. Now, smbd will replace the BOGUS name with it's SAM name. In +the case where smbd is acting as a PDC this will be DOMAIN\user. In the case +where smbd is acting as a domain member server this will be WORKSTATION\user. +Thus, smbd will never assume that an incoming user name which is not qualified +with the same primary domain, is part of smbd's primary domain. + +While this behavior matches Windows, it may break some workflows which depended +on smbd to always pass through bogus names to the DC for verification. A new +parameter "map untrusted to domain" can be enabled to revert to the legacy +behavior. ###################################################################### Reporting bugs & Development Discussion -- cgit