after upgrade to samba 4.7, our android phone users report they can not access our file server(AD member server) anymore. after debugging, I found "map untrusted to domain = yes" is not working. our users use "user" instead of "samdom\user" to login.
according to the manual, if I use "bogus\user" to login, samba should transfer it to "samdom\user". but checking the log, the transfer seems not complete (smbd seems not transnfer to winbind?):
>grep bogus log.*
log.smbd: Got user=[h1102] domain=[bogus] workstation=[ANN-PC] len1=24 len2=272
log.smbd: Mapping user [bogus]\[h1102] from workstation [ANN-PC]
log.smbd: Mapped domain from [bogus] to [LHY] for user [h1102] from workstation [ANN-PC]
log.smbd: check_ntlm_password: Checking password for unmapped user [bogus]\[h1102]@[ANN-PC] with the new password interface
log.smbd: Checking NTLMSSP password for bogus\h1102 failed: NT_STATUS_NO_SUCH_USER
log.smbd: ../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for bogus\h1102 failed: NT_STATUS_NO_SUCH_USER
log.wb-LHY: [ 6352]: pam auth crap domain: bogus user: h1102
log.wb-LHY: NTLM CRAP authentication for user [bogus]\[h1102] returned NT_STATUS_NO_SUCH_USER
log.winbindd: [ 6377]: domain_info [bogus]
log.winbindd: Did not find domain [bogus]
log.winbindd: [ 6377]: pam auth crap domain: [bogus] user: h1102
part of the message of log.smbd.
[2018/07/24 09:55:36.907652, 5] ../source3/auth/auth_util.c:123(make_user_info_map)
Mapping user [bogus]\[h1102] from workstation [ANN-PC]
[2018/07/24 09:55:36.907970, 5] ../source3/auth/auth_util.c:144(make_user_info_map)
Mapped domain from [bogus] to [LHY] for user [h1102] from workstation [ANN-PC]
[2018/07/24 09:55:36.907989, 5] ../source3/auth/user_info.c:62(make_user_info)
attempting to make a user_info for h1102 (h1102)
[2018/07/24 09:55:36.908005, 5] ../source3/auth/user_info.c:70(make_user_info)
making strings for h1102's user_info struct
[2018/07/24 09:55:36.908016, 5] ../source3/auth/user_info.c:108(make_user_info)
making blobs for h1102's user_info struct
[2018/07/24 09:55:36.908026, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [bogus]\[h1102]@[ANN-PC] with the new password interface
[2018/07/24 09:55:36.908036, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [LHY]\[h1102]@[ANN-PC]
[2018/07/24 09:55:36.908046, 5] ../lib/util/util.c:555(dump_data)
 7C 4A 67 E1 4D 77 54 07 |Jg.MwT.
[2018/07/24 09:55:36.908073, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2018/07/24 09:55:36.908083, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2018/07/24 09:55:36.908093, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2018/07/24 09:55:36.908102, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/07/24 09:55:36.908110, 5] ../source3/auth/token_util.c:640(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/07/24 09:55:36.910848, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/07/24 09:55:36.910881, 5] ../source3/auth/auth.c:252(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [h1102] FAILED with error NT_STATUS_NO_SUCH_USER
[2018/07/24 09:55:36.910914, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [h1102] -> [h1102] FAILED with error NT_STATUS_NO_SUCH_USER
[2018/07/24 09:55:36.910927, 5] ../source3/auth/auth_ntlmssp.c:188(auth3_check_password)
Checking NTLMSSP password for bogus\h1102 failed: NT_STATUS_NO_SUCH_USER
[2018/07/24 09:55:36.910939, 5] ../auth/ntlmssp/ntlmssp_server.c:737(ntlmssp_server_check_password)
../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for bogus\h1102 failed: NT_STATUS_NO_SUCH_USER
[2018/07/24 09:55:36.910951, 2] ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
that parameter was removed in Samba 4.8 finally because of the various design issues with it.
so now we all need to user domain user to access for this case?
this is unfortunate.
in single domain environment, it is very convenient to input user part only.
any other way to archive the same behavior?
it's sad that samba is losing more and more unique features.
*** Bug 13739 has been marked as a duplicate of this bug. ***
There might be ways to reimplement map untrusted to domain, if it's really required, but it means the authentication request is send to the dc twice,
first as is and if the answer id NO_SUCH_USER and authoritative is 0,
we would send it again with the domain part changed replaced.
In make_auth3_context_for_ntlm() we would let a member use:
"anonymous sam winbind winbind_owndomain sam_ignoredomain"
And winbind_owndomain would implement map untrusted to domain
or just pass on to the next module depending on the configuration.
(In reply to Stefan Metzmacher from comment #6)
But I'm not sure it will work with NTLMv2, which should be required
in most setups.
It could only work on a DC by using:
"sam_netlogon3 winbind sam_ignoredomain" in make_auth3_context_for_netlogon()
(In reply to Stefan Metzmacher from comment #6)
it is convenience in single domain environment.
no matter user input "user","samdom\user","bogus\user", all transfer to "samdom\user" before next step. then we can prevent send it twice. but I don't know if that is possible.
(In reply to tbskyd from comment #9)
Try what I propose in comment #8, but I'm not yet sure we want such
a change in upstream Samba, sorry.