Commit f231a072 authored by Andrew Bartlett's avatar Andrew Bartlett Committed by Isaac Boukris

s4-auth: Allow simple bind login of a user with an @ in the samAccountName

LDAP Simple BIND authentications have already been mapped to a
DOMAIN\username pair and should not be mapped twice.

This appears to be a regression in 09e24ce4
included in Samba 4.7.

BUG: Andrew Bartlett's avatarAndrew Bartlett <>
Reviewed-by: default avatarIsaac Boukris <>

Autobuild-User(master): Isaac Boukris <>
Autobuild-Date(master): Fri Feb 14 17:13:33 UTC 2020 on sn-devel-184
parent 8fbdff5c
\ No newline at end of file
......@@ -644,7 +644,27 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
p = strchr_m(account_name, '@');
* If we have not already mapped this user, then now is a good
* time to do so, before we look it up. We used to do this
* earlier, but in a multi-forest environment we want to do
* this mapping at the final domain.
* However, on the flip side we may have already mapped the
* user if this was an LDAP simple bind, in which case we
* really, really want to get back to exactly the same account
* we got the DN for.
if (user_info->mapped_state == false) {
p = strchr_m(account_name, '@');
} else {
* This is slightly nicer than double-indenting the
* block below
p = NULL;
if (p != NULL) {
const char *nt4_domain = NULL;
const char *nt4_account = NULL;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment