The Samba-Bugzilla – Bug 12492
empty client domain is not mapped to standalone server domain when user name contains @
Last modified: 2017-01-04 18:37:23 UTC
Created attachment 12787 [details]
After upgrading from Samba 4.4.7 to 4.5.2 user authentication stopped working in our installation.
We are mapping (via username map script) usernames from full email addresses to real Samba usernames so that users can login to Samba server using email address as username.
Samba is configured as standalone server.
Commit 3f82db56cbf2727abd465e28ac02ad2242b47c29 modified client domain mapping so that an empty domain is not mapped any more to Samba server domain if username contains "@".
Since we have no domain at our site Windows clients send empty domain string to Samba when users attempt to log in.
When user tries to login using full email address as username Samba doesn't map the empty domain to Samba server domain and authentication fails.
As reported in bug https://bugzilla.samba.org/show_bug.cgi?id=12375 preserving empty domain is useful only if there is a domain controller.
I'd expect that when Samba configuration is "server role = standalone" empty client domain will always be mapped to server domain.
I wrote a simple patch that fixes the problem allowing empty domain mapping if Samba role is standalone server.
I'd say to consider this not a bug but an invalid setup actually. If you want this kind of email login to continue working, I would suggest to update to AD mode and add email-like user principal names for the users if you prefer that.
Deploying AD will be hard in our company, we`ll have to buy new servers to act as AD domain controllers and manually join hundreds of workstations to the domain.
Please consider supporting usernames containing @ when there is no domain and Samba is configured as standalone server.
This setup was working before Samba 4.5 and I think that the proposed patch wont impact AD / Kerberos realm setups.