s3:auth_sam: map an empty domain or '.' to the local SAM name

When a domain member gets an empty domain name or '.', it should
not forward the authentication to domain controllers of
the primary domain.

But we need to keep passing UPN account names with
an empty domain to the DCs as a domain member.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/python/samba/tests/auth_log_winbind.py b/python/samba/tests/auth_log_winbind.py
index 4f4beff1e32f14d3063641265113a3cc9be01b6a..4c68187aef85608f2b2a74154fcbc575841baeff 100644 (file)
--- a/python/samba/tests/auth_log_winbind.py
+++ b/python/samba/tests/auth_log_winbind.py
@@ -321,7 +321,7 @@ class AuthLogTestsWinbind(AuthLogTestBase, BlackboxTestCase):
         self.assertEquals("unix:", msg["Authentication"]["localAddress"])
         self.assertEquals('', msg["Authentication"]["clientDomain"])
         # This is what the existing winbind implementation returns.
-        self.assertEquals("NT_STATUS_INVALID_HANDLE",
+        self.assertEquals("NT_STATUS_NO_SUCH_USER",
                           msg["Authentication"]["status"])
         self.assertEquals(self.credentials.get_username(),
                           msg["Authentication"]["clientAccount"])
@@ -424,7 +424,7 @@ class AuthLogTestsWinbind(AuthLogTestBase, BlackboxTestCase):
         self.assertEquals("unix:", msg["Authentication"]["localAddress"])
         self.assertEquals('', msg["Authentication"]["clientDomain"])
         # This is what the existing winbind implementation returns.
-        self.assertEquals("NT_STATUS_INVALID_HANDLE",
+        self.assertEquals("NT_STATUS_NO_SUCH_USER",
                           msg["Authentication"]["status"])
         self.assertEquals(self.credentials.get_username(),
                           msg["Authentication"]["clientAccount"])

diff --git a/selftest/knownfail.d/empty-domain-name b/selftest/knownfail.d/empty-domain-name
index 9855e4d58c28ec9f2aa5f93fb403b5529125a571..a1ffcaf7e3cb8c9c0902c33622c825c4839c83af 100644 (file)
--- a/selftest/knownfail.d/empty-domain-name
+++ b/selftest/knownfail.d/empty-domain-name
@@ -1,5 +1,5 @@
 ^samba3.blackbox.smbclient_auth.empty_domain.domain_creds.smbclient.*as.user.*nt4_member
-^samba3.blackbox.smbclient_auth.empty_domain.member_creds.smbclient.*as.user.*ad_member
+^samba3.blackbox.smbclient_auth.empty_domain.domain_creds.smbclient.*as.user.*ad_member
 ^samba3.blackbox.smbclient_auth.dot_domain.domain_creds.smbclient.*as.user.*nt4_member
 ^samba3.blackbox.smbclient_auth.dot_domain.domain_creds.smbclient.*as.user.*ad_member
 ^samba3.blackbox.smbclient_auth.upn.domain_creds.smbclient.*as.*user.*nt4_member

diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index fa40a5c8f3eb8b24057d1e61ff19e69e71a0e6fb..c6357c696eaca1cc70661e05c6f64695ce335437 100644 (file)
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -93,10 +93,36 @@ static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context,
                return NT_STATUS_NOT_IMPLEMENTED;
        }
 
+       if (lp_server_role() == ROLE_DOMAIN_MEMBER) {
+               const char *p = NULL;
+
+               p = strchr_m(user_info->mapped.account_name, '@');
+               if (p != NULL) {
+                       /*
+                        * This needs to go to the DC,
+                        * even if @ is the last character
+                        */
+                       return NT_STATUS_NOT_IMPLEMENTED;
+               }
+       }
+
+       if (effective_domain == NULL) {
+               effective_domain = "";
+       }
+
        DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
                  effective_domain,
                  user_info->mapped.account_name);
 
+
+       if (strequal(effective_domain, "") || strequal(effective_domain, ".")) {
+               /*
+                * An empty domain name or '.' should be handled
+                * as the local SAM name.
+                */
+               effective_domain = lp_netbios_name();
+       }
+
        is_local_name = is_myname(effective_domain);
        is_my_domain  = strequal(effective_domain, lp_workgroup());
 
@@ -174,6 +200,10 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
                return NT_STATUS_NOT_IMPLEMENTED;
        }
 
+       if (effective_domain == NULL) {
+               effective_domain = "";
+       }
+
        DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
                  effective_domain,
                  user_info->mapped.account_name);
@@ -189,6 +219,14 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
                return NT_STATUS_INVALID_SERVER_STATE;
        }
 
+       if (strequal(effective_domain, "") || strequal(effective_domain, ".")) {
+               /*
+                * An empty domain name or '.' should be handled
+                * as the local SAM name.
+                */
+               effective_domain = lp_workgroup();
+       }
+
        is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup());
        if (!is_my_domain) {
                DBG_INFO("%s is not our domain name (DC for %s)\n",