From 9520b0b084ebaddce73dabf909f4e3af6fe284c3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 9 Jan 2018 08:55:48 +0100
Subject: [PATCH 1/5] s3:libsmb: allow -U"\\administrator" to work

cli_credentials_get_principal() returns NULL in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0786a65cabb92a812cf1c692d0d26914f74a6f87)
---
 source3/libsmb/cliconnect.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 70bcead..d819e4c 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -283,8 +283,9 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
 
 	auth_requested = cli_credentials_authentication_requested(creds);
 	if (auth_requested) {
+		errno = 0;
 		user_principal = cli_credentials_get_principal(creds, frame);
-		if (user_principal == NULL) {
+		if (errno != 0) {
 			TALLOC_FREE(frame);
 			return NT_STATUS_NO_MEMORY;
 		}
@@ -299,6 +300,10 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
 		try_kerberos = true;
 	}
 
+	if (user_principal == NULL) {
+		try_kerberos = false;
+	}
+
 	if (target_hostname == NULL) {
 		try_kerberos = false;
 	} else if (is_ipaddress(target_hostname)) {
-- 
1.9.1


From 8b82e17511fd83abe8360802884ad12d623fd292 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 9 Jan 2018 08:57:05 +0100
Subject: [PATCH 2/5] s3:cliconnect.c: remove useless ';'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e039e9b0d2a16b21ace019b028e5c8244486b8a3)
---
 source3/libsmb/cliconnect.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index d819e4c..8c81565 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1289,7 +1289,7 @@ static struct tevent_req *cli_session_setup_spnego_send(
 
 	status = cli_session_creds_prepare_krb5(cli, creds);
 	if (tevent_req_nterror(req, status)) {
-		return tevent_req_post(req, ev);;
+		return tevent_req_post(req, ev);
 	}
 
 	subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
-- 
1.9.1


From c9157dfeb0672811b37753c0cb0908a745d4b308 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Mon, 8 Jan 2018 13:36:59 +1300
Subject: [PATCH 3/5] tests/py_creds: Add a SamLogonEx test with an empty
 string domain

This test passes against 4.6, but failed against 4.7.5 and master.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5c625eae3f54e8de434de26e9f6a0f2fde557c18)
---
 python/samba/tests/py_credentials.py       | 27 +++++++++++++++++++++++++++
 selftest/knownfail.d/empty-domain-samlogon |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 selftest/knownfail.d/empty-domain-samlogon

diff --git a/python/samba/tests/py_credentials.py b/python/samba/tests/py_credentials.py
index ff017ec..2f5a7d6 100644
--- a/python/samba/tests/py_credentials.py
+++ b/python/samba/tests/py_credentials.py
@@ -129,6 +129,33 @@ class PyCredentialsTests(TestCase):
             else:
                 raise
 
+    def test_SamLogonEx_no_domain(self):
+        c = self.get_netlogon_connection()
+
+        self.user_creds.set_domain('')
+
+        logon = samlogon_logon_info(self.domain,
+                                    self.machine_name,
+                                    self.user_creds)
+
+        logon_level = netlogon.NetlogonNetworkTransitiveInformation
+        validation_level = netlogon.NetlogonValidationSamInfo4
+        netr_flags = 0
+
+        try:
+            c.netr_LogonSamLogonEx(self.server,
+                                   self.user_creds.get_workstation(),
+                                   logon_level,
+                                   logon,
+                                   validation_level,
+                                   netr_flags)
+        except NTSTATUSError as e:
+            enum = ctypes.c_uint32(e[0]).value
+            if enum == ntstatus.NT_STATUS_WRONG_PASSWORD:
+                self.fail("got wrong password error")
+            else:
+                self.fail("got unexpected error" + str(e))
+
     def test_SamLogonExNTLM(self):
         c = self.get_netlogon_connection()
 
diff --git a/selftest/knownfail.d/empty-domain-samlogon b/selftest/knownfail.d/empty-domain-samlogon
new file mode 100644
index 0000000..925a03a
--- /dev/null
+++ b/selftest/knownfail.d/empty-domain-samlogon
@@ -0,0 +1 @@
+^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_SamLogonEx_no_domain
-- 
1.9.1


From f671eb6507b5c1020698924dcce85d8fd680cc3e Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Mon, 8 Jan 2018 16:34:02 +1300
Subject: [PATCH 4/5] tests/bind.py: Add a bind test with NTLMSSP with no
 domain

Confirmed to pass against Windows 2012 R2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0)
---
 auth/credentials/tests/bind.py         | 26 +++++++++++++++++++++++++-
 selftest/knownfail.d/empty-domain-bind |  1 +
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 selftest/knownfail.d/empty-domain-bind

diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py
index 91e493d..4aa4498 100755
--- a/auth/credentials/tests/bind.py
+++ b/auth/credentials/tests/bind.py
@@ -43,6 +43,7 @@ creds_machine = copy.deepcopy(creds)
 creds_user1 = copy.deepcopy(creds)
 creds_user2 = copy.deepcopy(creds)
 creds_user3 = copy.deepcopy(creds)
+creds_user4 = copy.deepcopy(creds)
 
 class BindTests(samba.tests.TestCase):
 
@@ -64,7 +65,7 @@ class BindTests(samba.tests.TestCase):
         self.config_dn = self.info_dc["configurationNamingContext"][0]
         self.computer_dn = "CN=centos53,CN=Computers,%s" % self.domain_dn
         self.password = "P@ssw0rd"
-        self.username = "BindTestUser_" + time.strftime("%s", time.gmtime())
+        self.username = "BindTestUser"
 
     def tearDown(self):
         super(BindTests, self).tearDown()
@@ -113,6 +114,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
                                       expression="(samAccountName=%s)" % self.username)
         self.assertEquals(len(ldb_res), 1)
         user_dn = ldb_res[0]["dn"]
+        self.addCleanup(delete_force, self.ldb, user_dn)
 
         # do a simple bind and search with the user account in format user@realm
         creds_user1.set_bind_dn(self.username + "@" + creds.get_realm())
@@ -138,5 +140,27 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
                                               lp=lp, ldap_only=True)
         res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 
+    def test_user_account_bind_no_domain(self):
+        # create user
+        self.ldb.newuser(username=self.username, password=self.password)
+        ldb_res = self.ldb.search(base=self.domain_dn,
+                                      scope=SCOPE_SUBTREE,
+                                      expression="(samAccountName=%s)" % self.username)
+        self.assertEquals(len(ldb_res), 1)
+        user_dn = ldb_res[0]["dn"]
+        self.addCleanup(delete_force, self.ldb, user_dn)
+
+        creds_user4.set_username(self.username)
+        creds_user4.set_password(self.password)
+        creds_user4.set_domain('')
+        creds_user4.set_workstation('')
+        print "BindTest (no domain) with: " + self.username
+        try:
+            ldb_user4 = samba.tests.connect_samdb(host, credentials=creds_user4,
+                                              lp=lp, ldap_only=True)
+        except:
+            self.fail("Failed to connect without the domain set")
+
+        res = ldb_user4.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
 
 TestProgram(module=__name__, opts=subunitopts)
diff --git a/selftest/knownfail.d/empty-domain-bind b/selftest/knownfail.d/empty-domain-bind
new file mode 100644
index 0000000..99d71c1
--- /dev/null
+++ b/selftest/knownfail.d/empty-domain-bind
@@ -0,0 +1 @@
+^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_user_account_bind_no_domain.*
-- 
1.9.1


From bed9af0215e4a31e320a2c042cc2b49807508e0f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 9 Jan 2018 08:54:11 +0100
Subject: [PATCH 5/5] s4:auth_sam: allow logons with an empty domain name

It turns out that an empty domain name maps to the local SAM.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144

(cherry picked from commit 57762229da971e837b923f09ca01bad6151f9419)
---
 selftest/knownfail.d/empty-domain-bind     |  1 -
 selftest/knownfail.d/empty-domain-samlogon |  1 -
 source4/auth/ntlm/auth_sam.c               | 16 ++++++++++------
 3 files changed, 10 insertions(+), 8 deletions(-)
 delete mode 100644 selftest/knownfail.d/empty-domain-bind
 delete mode 100644 selftest/knownfail.d/empty-domain-samlogon

diff --git a/selftest/knownfail.d/empty-domain-bind b/selftest/knownfail.d/empty-domain-bind
deleted file mode 100644
index 99d71c1..0000000
--- a/selftest/knownfail.d/empty-domain-bind
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_user_account_bind_no_domain.*
diff --git a/selftest/knownfail.d/empty-domain-samlogon b/selftest/knownfail.d/empty-domain-samlogon
deleted file mode 100644
index 925a03a..0000000
--- a/selftest/knownfail.d/empty-domain-samlogon
+++ /dev/null
@@ -1 +0,0 @@
-^samba.tests.py_credentials.samba.tests.py_credentials.PyCredentialsTests.test_SamLogonEx_no_domain
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 24fe167..3738224 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -739,6 +739,10 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
 
+	if (effective_domain == NULL) {
+		effective_domain = "";
+	}
+
 	is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx,
 					effective_domain);
 
@@ -784,7 +788,7 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
 
-	if (effective_domain != NULL && !strequal(effective_domain, "")) {
+	if (!strequal(effective_domain, "")) {
 		DBG_DEBUG("%s is not one domain name (DC)\n",
 			  effective_domain);
 		return NT_STATUS_NOT_IMPLEMENTED;
@@ -792,11 +796,11 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
 
 	p = strchr_m(user_info->mapped.account_name, '@');
 	if (p == NULL) {
-		if (effective_domain == NULL) {
-			return NT_STATUS_OK;
-		}
-		DEBUG(6,("authsam_check_password: '' without upn not handled (DC)\n"));
-		return NT_STATUS_NOT_IMPLEMENTED;
+		/*
+		 * An empty to domain name should be handled
+		 * as the local domain name.
+		 */
+		return NT_STATUS_OK;
 	}
 
 	effective_domain = p + 1;
-- 
1.9.1