From: Andrew Bartlett Date: Sun, 9 Feb 2020 22:52:33 +0000 (+1300) Subject: s4-auth: Allow simple bind login of a user with an @ in the samAccountName X-Git-Tag: ldb-2.1.1~83 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f231a072d5c09a61e75091c294f722622dcd45da;p=thirdparty%2Fsamba.git s4-auth: Allow simple bind login of a user with an @ in the samAccountName LDAP Simple BIND authentications have already been mapped to a DOMAIN\username pair and should not be mapped twice. This appears to be a regression in 09e24ce40f89ac2f03d0c5fefa8b59f0d113fa6b included in Samba 4.7. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598 Signed-off-by: Andrew Bartlett Reviewed-by: Isaac Boukris Autobuild-User(master): Isaac Boukris Autobuild-Date(master): Fri Feb 14 17:13:33 UTC 2020 on sn-devel-184 --- diff --git a/selftest/knownfail.d/ldap-virtual-users b/selftest/knownfail.d/ldap-virtual-users deleted file mode 100644 index 318a2b587b7..00000000000 --- a/selftest/knownfail.d/ldap-virtual-users +++ /dev/null @@ -1 +0,0 @@ -^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_virtual_email_account_style_bind \ No newline at end of file diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index fb88cb87f66..70eddc12c53 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -644,7 +644,27 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx return NT_STATUS_NO_SUCH_DOMAIN; } - p = strchr_m(account_name, '@'); + /* + * If we have not already mapped this user, then now is a good + * time to do so, before we look it up. We used to do this + * earlier, but in a multi-forest environment we want to do + * this mapping at the final domain. + * + * However, on the flip side we may have already mapped the + * user if this was an LDAP simple bind, in which case we + * really, really want to get back to exactly the same account + * we got the DN for. + */ + if (user_info->mapped_state == false) { + p = strchr_m(account_name, '@'); + } else { + /* + * This is slightly nicer than double-indenting the + * block below + */ + p = NULL; + } + if (p != NULL) { const char *nt4_domain = NULL; const char *nt4_account = NULL;