A number of things to clean up the auth subsytem a bit...

We now default encrypt passwords = yes

We now check plaintext passwords (however aquired) with the 'sam' backend
rather than unix, if encrypt passwords = yes.

(this kills off the 'local' backed.  The sam backend may be renamed in its
place)

The new 'samstrict' wrapper backend checks that the user's domain is one of
our netbios aliases - this ensures that we don't get fallback crazies with
security = domain.

Similarly, the code in the 'ntdomain' and 'smbserver' backends now checks
that the user was not local before contacting the DC.

The default ordering has changed, we now check the local stuff first - but
becouse of the changes above, we will really only ever contact one
auth source.

Andrew Bartlett

source/auth/auth_server.c

@@ -186,6 +186,17 @@ static NTSTATUS check_smbserver_security(void *my_private_data,
 	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
 	BOOL locally_made_cli = False;
 
+	/* 
+	 * Check that the requested domain is not our own machine name.
+	 * If it is, we should never check the PDC here, we use our own local
+	 * password file.
+	 */
+
+	if(is_netbios_alias_or_name(user_info->domain.str)) {
+		DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
+		return NT_STATUS_LOGON_FAILURE;
+	}
+
 	cli = my_private_data;
 	
 	if (cli) {