s4-auth: Allow simple bind login of a user with an @ in the samAccountName

LDAP Simple BIND authentications have already been mapped to a
DOMAIN\username pair and should not be mapped twice.

This appears to be a regression in 09e24ce40f89ac2f03d0c5fefa8b59f0d113fa6b
included in Samba 4.7.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Fri Feb 14 17:13:33 UTC 2020 on sn-devel-184

diff --git a/selftest/knownfail.d/ldap-virtual-users b/selftest/knownfail.d/ldap-virtual-users
deleted file mode 100644 (file)
index 318a2b5..0000000
--- a/selftest/knownfail.d/ldap-virtual-users
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.ldap.bind\(fl2008r2dc\).__main__.BindTests.test_virtual_email_account_style_bind
\ No newline at end of file

diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index fb88cb87f66801f38fa085c5bd0b60ab9f8135cd..70eddc12c53c6b4cd257228b5260bd2ec756f168 100644 (file)
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -644,7 +644,27 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
                return NT_STATUS_NO_SUCH_DOMAIN;
        }
 
-       p = strchr_m(account_name, '@');
+       /*
+        * If we have not already mapped this user, then now is a good
+        * time to do so, before we look it up.  We used to do this
+        * earlier, but in a multi-forest environment we want to do
+        * this mapping at the final domain.
+        *
+        * However, on the flip side we may have already mapped the
+        * user if this was an LDAP simple bind, in which case we
+        * really, really want to get back to exactly the same account
+        * we got the DN for.
+        */
+       if (user_info->mapped_state == false) {
+               p = strchr_m(account_name, '@');
+       } else {
+               /*
+                * This is slightly nicer than double-indenting the
+                * block below
+                */
+               p = NULL;
+       }
+
        if (p != NULL) {
                const char *nt4_domain = NULL;
                const char *nt4_account = NULL;