auth3: prepare the logic for "map untrusted to domain = auto"

This implements the same behavior as Windows,
we should pass the domain and account names given
by the client directly to the auth backends,
they can decide if they are able to process the
authentication pass it to the next backend.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index ec597e8884f0c4dcccc0dd0800f1105ac404bde3..1021f2a6fef664900d952f367477ed7b15206328 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -111,6 +111,7 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
        bool was_mapped;
        char *internal_username = NULL;
        bool upn_form = false;
+       int map_untrusted = lp_map_untrusted_to_domain();
 
        if (client_domain[0] == '\0' && strchr(smb_name, '@')) {
                upn_form = true;
@@ -134,15 +135,16 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
         * non-domain member box will also map to WORKSTATION\user.
         * This also deals with the client passing in a "" domain */
 
-       if (!upn_form &&
+       if (map_untrusted != Auto && !upn_form &&
            !strequal(domain, my_sam_name()) &&
            !strequal(domain, get_global_sam_name()) &&
            !is_trusted_domain(domain))
        {
-               if (lp_map_untrusted_to_domain())
+               if (map_untrusted) {
                        domain = my_sam_name();
-               else
+               } else {
                        domain = get_global_sam_name();
+               }
                DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
                          "workstation [%s]\n",
                          client_domain, domain, smb_name, workstation_name));