<samba:parameter name="map untrusted to domain"
context="G"
- type="boolean"
+ type="enum"
+ enumlist="enum_bool_auto"
deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>
+ With <smbconfoption name="map untrusted to domain">auto</smbconfoption>
+ smbd will defer the decision whether the domain name provided by the
+ client is a valid domain name to the Domain Controller (DC) of
+ the domain it is a member of, if it is not a DC. If the DC indicates
+ that the domain portion is unknown, then a local authentication is performed.
+ Standalone servers always ignore the domain. This is basically the same as
+ the behavior implemented in Windows.
+ </para>
+
<para>
By default, and with <smbconfoption name="map untrusted to domain">no</smbconfoption>,
if a client connects to smbd using an untrusted domain name, such as
attempting to authenticate that user. In the case where smbd is acting as
a NT4 PDC/BDC this will be DOMAIN\user. In the case where smbd is acting as a
domain member server or a standalone server this will be WORKSTATION\user.
+ While this appears similar to the behaviour of
+ <smbconfoption name="map untrusted to domain">auto</smbconfoption>,
+ the difference is that smbd will use a cached (maybe incomplete) list
+ of trusted domains in order to classify a domain as "untrusted"
+ before contacting any DC first.
</para>
<para>
primary domain before attempting to authenticate that user.
This will be DOMAIN\user in all server roles except active directory domain controller.
</para>
+
+ <para>
+ <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added
+ with Samba 4.7.0.
+ </para>
</description>
<value type="default">no</value>