From 57762229da971e837b923f09ca01bad6151f9419 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 9 Jan 2018 08:54:11 +0100
Subject: [PATCH] s4:auth_sam: allow logons with an empty domain name

It turns out that an empty domain name maps to the local SAM.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144
---
 selftest/knownfail.d/empty-domain-bind     |  1 -
 selftest/knownfail.d/empty-domain-samlogon |  1 -
 source4/auth/ntlm/auth_sam.c               | 16 ++++++++++------
 3 files changed, 10 insertions(+), 8 deletions(-)
 delete mode 100644 selftest/knownfail.d/empty-domain-bind
 delete mode 100644 selftest/knownfail.d/empty-domain-samlogon

diff --git a/selftest/knownfail.d/empty-domain-bind b/selftest/knownfail.d/empty-domain-bind
deleted file mode 100644
index 99d71c1cf39..00000000000
--- a/selftest/knownfail.d/empty-domain-bind
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_user_account_bind_no_domain.*
diff --git a/selftest/knownfail.d/empty-domain-samlogon b/selftest/knownfail.d/empty-domain-samlogon
deleted file mode 100644
index 925a03ad40f..00000000000
--- a/selftest/knownfail.d/empty-domain-samlogon
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_SamLogonEx_no_domain
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 5e2a5843fc4..8c5ebd747e7 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -739,6 +739,10 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
 
+	if (effective_domain == NULL) {
+		effective_domain = "";
+	}
+
 	is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx,
 					effective_domain);
 
@@ -784,7 +788,7 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
 
-	if (effective_domain != NULL && !strequal(effective_domain, "")) {
+	if (!strequal(effective_domain, "")) {
 		DBG_DEBUG("%s is not one domain name (DC)\n",
 			  effective_domain);
 		return NT_STATUS_NOT_IMPLEMENTED;
@@ -792,11 +796,11 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
 
 	p = strchr_m(user_info->mapped.account_name, '@');
 	if (p == NULL) {
-		if (effective_domain == NULL) {
-			return NT_STATUS_OK;
-		}
-		DEBUG(6,("authsam_check_password: '' without upn not handled (DC)\n"));
-		return NT_STATUS_NOT_IMPLEMENTED;
+		/*
+		 * An empty to domain name should be handled
+		 * as the local domain name.
+		 */
+		return NT_STATUS_OK;
 	}
 
 	effective_domain = p + 1;
-- 
2.34.1