Commit f231a072 authored by Andrew Bartlett's avatar Andrew Bartlett Committed by Isaac Boukris

s4-auth: Allow simple bind login of a user with an @ in the samAccountName

LDAP Simple BIND authentications have already been mapped to a
DOMAIN\username pair and should not be mapped twice.

This appears to be a regression in 09e24ce4
included in Samba 4.7.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598Signed-off-by: Andrew Bartlett's avatarAndrew Bartlett <abartlet@samba.org>
Reviewed-by: default avatarIsaac Boukris <iboukris@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Fri Feb 14 17:13:33 UTC 2020 on sn-devel-184
parent 8fbdff5c
^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_virtual_email_account_style_bind
\ No newline at end of file
......@@ -644,7 +644,27 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
return NT_STATUS_NO_SUCH_DOMAIN;
}
p = strchr_m(account_name, '@');
/*
* If we have not already mapped this user, then now is a good
* time to do so, before we look it up. We used to do this
* earlier, but in a multi-forest environment we want to do
* this mapping at the final domain.
*
* However, on the flip side we may have already mapped the
* user if this was an LDAP simple bind, in which case we
* really, really want to get back to exactly the same account
* we got the DN for.
*/
if (user_info->mapped_state == false) {
p = strchr_m(account_name, '@');
} else {
/*
* This is slightly nicer than double-indenting the
* block below
*/
p = NULL;
}
if (p != NULL) {
const char *nt4_domain = NULL;
const char *nt4_account = NULL;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment