samba - Jul 2011 - 3.5.5, ADS mode, user authentication syntax

All,
I'm in the process of migrating a samba server from Solaris 10 (running
3.0.37) to Solaris 11 Express (running 3.5.5).
The system is joined to a Win2k3 Active Directory. Migrating the configuration
worked fine, the shares are available and everything mostly works as intended.
The problem we're having is with the syntax of authentication requests from
Windows client machines. On the old server, users could provide credentials
using either of two formats: "user at domain.com", or
"DOMAIN\user". After migrating to the new system, only
"DOMAIN\user" is accepted as valid. using the other method results in
the following:
  check_ntlm_password:  Authentication for user [user at domain.com] -> [user
at domain.com] FAILED with error NT_STATUS_NO_SUCH_USER

I've experimented a bit with a username map script, but gather from the
documentation that this won't have the desired effect in ADS mode as it is
processed AFTER the initial authentication.
Of course, we have lots of documentation and a couple hundred users that are
trained to use "user at domain.com" as their username.

My question is, has this behavior deliberately changed in more modern versions
of Samba, or am I missing a piece of the configuration somewhere? Any pointers
in the right direction would be most appreciated. smb.conf pasted below.
Regards,Nick
#======================= Global Settings ======================[global]
## Browsing/Identification ###
   workgroup = SUBDOM   security = ads   encrypt passwords = true   realm =
SUBDOM.DOMAIN.COM   obey pam restrictions = yes   posix locking = no   unix
extensions = no   nt acl support = no

####### Authentication #######
# "security = user" is always a good idea. This will require a Unix
account# in this server for every user accessing the server. See#
/usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc# package for
details.#   security = user
# You may wish to use password encryption.  See the section on# 'encrypt
passwords' in the smb.conf(5) manpage before enabling.#   encrypt passwords
= true
# If you are using encrypted passwords, Samba will need to know what# password
database type you are using.     passdb backend = tdbsam
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#======================= Share Definitions ======================[homes]  
comment = Home Directories   browseable = no   vfs objects = zfsacl   follow
symlinks = yes   wide links = yes   map readonly = Permissions   map system = no
map archive = no   writable = yes   create mask = 0644   directory mask = 0755  
valid users = %S

Nick Dugan wrote:

[SNIP]
> 
> My question is, has this behavior deliberately changed in more modern
> versions of Samba, or am I missing a piece of the configuration
> somewhere? Any pointers in the right direction would be most
> appreciated. smb.conf pasted below.
> 
Yes the behaviour has changed though the concept of using 
user at domain.com as a username is something I have never come across 
before. It is distinctly un-Windows like and I am astounded it ever worked.

Any way try adding "map untrusted to domain = yes" and see if that
helps. See the smb.conf manual page for details, the behaviour changed 
in 3.4


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

> Jonathan Buzzard wrote:>
> Any way try adding "map untrusted to domain = yes" and see if
that
> helps. See the smb.conf manual page for details, the behaviour changed 
> in 3.4
That was the trick, thank you!
-ND

On Wed, 2011-07-20 at 00:09 +0100, Jonathan Buzzard
wrote:
> Yes the behaviour has changed though the concept of using 
> user at domain.com as a username is something I have never come across 
> before. It is distinctly un-Windows like and I am astounded it ever worked.
On the contrary, the user at domain style of username is a normal part of a
Windows AD ("user principal name"), for example see 

http://technet.microsoft.com/en-us/library/cc739093(WS.10).aspx

"In Active Directory, each user account has a UPN based on IETF RFC 822,
Standard for the Format of ARPA Internet Text Messages. The UPN is
composed of the user logon name and the UPN suffix joined by the @
sign."

Adam