s4-auth: Allow simple bind login of a user with an @ in the samAccountName

LDAP Simple BIND authentications have already been mapped to a
DOMAIN\username pair and should not be mapped twice.

This appears to be a regression in 09e24ce4
included in Samba 4.7.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Fri Feb 14 17:13:33 UTC 2020 on sn-devel-184

selftest/knownfail.d/ldap-virtual-users

-^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_virtual_email_account_style_bind
\ No newline at end of file

source4/auth/ntlm/auth_sam.c

@@ -644,7 +644,27 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
 		return NT_STATUS_NO_SUCH_DOMAIN;
 	}
 
-	p = strchr_m(account_name, '@');
+	/*
+	 * If we have not already mapped this user, then now is a good
+	 * time to do so, before we look it up.  We used to do this
+	 * earlier, but in a multi-forest environment we want to do
+	 * this mapping at the final domain.
+	 *
+	 * However, on the flip side we may have already mapped the
+	 * user if this was an LDAP simple bind, in which case we
+	 * really, really want to get back to exactly the same account
+	 * we got the DN for.
+	 */
+	if (user_info->mapped_state == false) {
+		p = strchr_m(account_name, '@');
+	} else {
+		/*
+		 * This is slightly nicer than double-indenting the
+		 * block below
+		 */
+		p = NULL;
+	}
+
 	if (p != NULL) {
 		const char *nt4_domain = NULL;
 		const char *nt4_account = NULL;