check for bad usernames early in session setup

source/smbd/reply.c

@@ -858,6 +858,12 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
 	     domain,native_os,native_lanman));
   }
 
+  /* don't allow for weird usernames */
+  alpha_strcpy(user, user, ". _-", sizeof(user));
+  if (strstr(user, "..")) {
+	  return bad_password_error(inbuf, outbuf);
+  }
+
   DEBUG(3,("sesssetupX:name=[%s]\n",user));
 
   /* If name ends in $ then I think it's asking about whether a */