samba - Mar 2019 - 4.8+ started requiring full UPN for logon

Hi guys,

It appears that Samba 4.8 breaks the Windows' ability to log in without
specifying a matching domain name.
Since the upgrade, logging in with just the username or .\username has
become impossible, and only SAMBAHOSTNAME\username still works.
I'm running an Apple OpenDirectory + nslcd setup. The username (e_user)
still resolves properly via NSS.

Is there anything I could have missed when upgrading?

Auth attempt log:

  check_ntlm_password:  Checking password for unmapped user
[WIN-9F1GSF1XXXX]\[e_user]@[WIN-9F1GSF1XXXX] with the new password interface
  check_ntlm_password:  mapped user is:
[WIN-9F1GSF1XXXX]\[e_user]@[WIN-9F1GSF1XXXX]
  Check auth for: [e_user]
  auth_check_ntlm_password: anonymous had nothing to say
  Check auth for: [e_user]
  is_myname("WIN-9F1GSF1XXXX") returns 0
  check_samstrict_security: WIN-9F1GSF1XXXX is not one of my local names or
domain name (DC)
  auth_check_ntlm_password: sam had nothing to say


Globals:

  disable netbios = Yes
  dns proxy = No
  domain logons = Yes
  ldap admin dn = uid=diradmin,cn=users,dc=directory,dc=xxx,dc=com
  ldap ssl = no
  ldap suffix = dc=directory,dc=xxx,dc=com
  map to guest = Bad User
  ntlm auth = ntlmv1-permitted
  nt pipe support = No
  passdb backend = ldapsam:ldap://directory.xxx.com
  security = USER
  server min protocol = NT1
  server string = XXX SMB
  workgroup = XXX
  idmap config * : backend = tdb
  map archive = No
  map readonly = no
  nt acl support = No

Cheers,
Eugene

On Mon, 11 Mar 2019 11:49:10 +0100
Eugene Pankov via samba <samba at lists.samba.org> wrote:
> Hi guys,
> 
> It appears that Samba 4.8 breaks the Windows' ability to log in
> without specifying a matching domain name.
Hmm, I thought this was actually fixed in 4.8.0, see this bug report:

https://bugzilla.samba.org/show_bug.cgi?id=13206

Rowland

I've gone through the changelog, but I think that specific fix might be
unrelated, as there's actually a "domain" part being passed by the
client
(the client's hostname).
I tried upgrading to the latest 4.9 as well, and it's still broken.
My gut feeling is that it's specific to ldapsam, as similar environments
with local users only work as expected.

On Mon, Mar 11, 2019 at 12:57 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 11 Mar 2019 11:49:10 +0100
> Eugene Pankov via samba <samba at lists.samba.org> wrote:
>
> > Hi guys,
> >
> > It appears that Samba 4.8 breaks the Windows' ability to log in
> > without specifying a matching domain name.
>
> Hmm, I thought this was actually fixed in 4.8.0, see this bug report:
>
> https://bugzilla.samba.org/show_bug.cgi?id=13206
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>