X-Git-Url: http://git.samba.org/samba.git/?p=ira%2Fwip.git;a=blobdiff_plain;f=WHATSNEW.txt;h=066f7189992c8ac01c054c3fe2205ab1180cfa45;hp=65d226cfc2777ec028d2c2fb17887db287257a7a;hb=0abfc90ac900f77aad33a748f3ee73f3b3483f7c;hpb=88795452824149e86ebcf85f571050a713144783

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 65d226cfc27..066f7189992 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -10,8 +10,27 @@ system at https://bugzilla.samba.org/.
 
 Major enhancements in Samba 3.4.0 include:
 
-o
-
+Authentication Changes:
+o Changed the way smbd handles untrusted domain names given during user
+  authentication
+
+Authentication Changes
+======================
+
+Previously, when Samba was a domain member and a client was connecting using an
+untrusted domain name, such as BOGUS\user smbd would remap the untrusted
+domain to the primary domain smbd was a member of and attempt authentication
+using that DOMAIN\user name.  This differed from how a Windows member server
+would behave.  Now, smbd will replace the BOGUS name with it's SAM name.  In
+the case where smbd is acting as a PDC this will be DOMAIN\user.  In the case
+where smbd is acting as a domain member server this will be WORKSTATION\user.
+Thus, smbd will never assume that an incoming user name which is not qualified
+with the same primary domain, is part of smbd's primary domain.
+
+While this behavior matches Windows, it may break some workflows which depended
+on smbd to always pass through bogus names to the DC for verification.  A new
+parameter "map untrusted to domain" can be enabled to revert to the legacy
+behavior.
 
 ######################################################################
 Reporting bugs & Development Discussion