summaryrefslogtreecommitdiffstats
path: root/WHATSNEW.txt
diff options
context:
space:
mode:
authorSteven Danneman <steven.danneman@isilon.com>2009-02-12 13:01:45 -0800
committerSteven Danneman <steven.danneman@isilon.com>2009-02-12 13:55:44 -0800
commit5cd4b7b7c03df6e896186d985b6858a06aa40b3f (patch)
tree8aba35ab96a7efba2b35a7052f6a6e4e0050fe90 /WHATSNEW.txt
parentfeec49d5cd07a69991d1bc6dc6325ecda21a19a8 (diff)
downloadsamba-5cd4b7b7c03df6e896186d985b6858a06aa40b3f.tar.gz
samba-5cd4b7b7c03df6e896186d985b6858a06aa40b3f.tar.xz
samba-5cd4b7b7c03df6e896186d985b6858a06aa40b3f.zip
s3: Added new parameter "map untrusted to domain"
When enabled this reverts smbd to the legacy domain remapping behavior when a user provides an untrusted domain This partially reverts d8c54fdd
Diffstat (limited to 'WHATSNEW.txt')
-rw-r--r--WHATSNEW.txt23
1 files changed, 21 insertions, 2 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 65d226cfc27..066f7189992 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -10,8 +10,27 @@ system at https://bugzilla.samba.org/.
Major enhancements in Samba 3.4.0 include:
-o
-
+Authentication Changes:
+o Changed the way smbd handles untrusted domain names given during user
+ authentication
+
+Authentication Changes
+======================
+
+Previously, when Samba was a domain member and a client was connecting using an
+untrusted domain name, such as BOGUS\user smbd would remap the untrusted
+domain to the primary domain smbd was a member of and attempt authentication
+using that DOMAIN\user name. This differed from how a Windows member server
+would behave. Now, smbd will replace the BOGUS name with it's SAM name. In
+the case where smbd is acting as a PDC this will be DOMAIN\user. In the case
+where smbd is acting as a domain member server this will be WORKSTATION\user.
+Thus, smbd will never assume that an incoming user name which is not qualified
+with the same primary domain, is part of smbd's primary domain.
+
+While this behavior matches Windows, it may break some workflows which depended
+on smbd to always pass through bogus names to the DC for verification. A new
+parameter "map untrusted to domain" can be enabled to revert to the legacy
+behavior.
######################################################################
Reporting bugs & Development Discussion