Package: samba
Version: 2:4.5.2+dfsg-1
Severity: normal
Tags: upstream patch
After upgrading from Samba 4.4.7 to 4.5.2 user authentication stopped working
in our installation.
We are mapping (via username map script) usernames from full email addresses to
real Samba usernames so that users can login to Samba server using email
address as username.
Samba is configured as standalone server.
Upstrean commit 3f82db56cbf2727abd465e28ac02ad2242b47c29 modified client domain
mapping so that an empty domain is not mapped any more to Samba server domain
if username contains "@".
Since we have no domain at our site Windows clients send empty domain string to
Samba when users attempt to log in.
When user tries to login using full email address as username Samba doesn't map
the empty domain to Samba server domain and authentication fails.
As reported in upstream bug https://bugzilla.samba.org/show_bug.cgi?id=12375
preserving empty domain is useful only if there is a domain controller.
I'd expect that when Samba configuration is "server role = standalone" empty
client domain will always be mapped to server domain.
I wrote a simple patch that fixes the problem allowing empty domain mapping if
Samba role is standalone server.
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages samba depends on:
ii adduser 3.115
ii dpkg 1.18.15
ii init-system-helpers 1.46
ii libbsd0 0.8.3-1
ii libc6 2.24-8
ii libldb1 2:1.1.27-1
ii libpam-modules 1.1.8-3.3
ii libpam-runtime 1.1.8-3.3
ii libpopt0 1.16-10
ii libpython2.7 2.7.13~rc1-1
ii libtalloc2 2.1.8-1
ii libtdb1 1.3.11-2
ii libtevent0 0.9.31-1
ii libwbclient0 2:4.5.2+dfsg-1
ii lsb-base 9.20161125
ii procps 2:3.3.12-3
ii python 2.7.11-2
ii python-dnspython 1.15.0-1
ii python-samba 2:4.5.2+dfsg-1
pn python2.7:any <none>
ii samba-common 2:4.5.2+dfsg-1
ii samba-common-bin 2:4.5.2+dfsg-1
ii samba-libs 2:4.5.2+dfsg-1
ii tdb-tools 1.3.11-2
ii update-inetd 4.43
Versions of packages samba recommends:
ii attr 1:2.4.47-2
ii logrotate 3.8.7-2
ii samba-dsdb-modules 2:4.5.2+dfsg-1
ii samba-vfs-modules 2:4.5.2+dfsg-1
Versions of packages samba suggests:
pn bind9 <none>
pn bind9utils <none>
pn ctdb <none>
pn ldb-tools <none>
pn ntp <none>
pn smbldap-tools <none>
pn ufw <none>
pn winbind <none>
-- Configuration Files:
/etc/logrotate.d/samba changed [not included]
-- no debconf information
Index: samba-4.5.2+dfsg/source3/auth/auth_util.c
===================================================================
--- samba-4.5.2+dfsg.orig/source3/auth/auth_util.c
+++ samba-4.5.2+dfsg/source3/auth/auth_util.c
@@ -109,7 +109,8 @@ NTSTATUS make_user_info_map(TALLOC_CTX *
char *internal_username = NULL;
bool upn_form = false;
- if (client_domain[0] == '\0' && strchr(smb_name, '@')) {
+ if (client_domain[0] == '\0' && strchr(smb_name, '@') &&
+ lp_server_role() != ROLE_STANDALONE) {
upn_form = true;
}
