Revert upstream changes e7bc23e44c0^..43984b8292

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index fbc36423e2b..8e7fa914748 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -110,6 +110,12 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
 	NTSTATUS result;
 	bool was_mapped;
 	char *internal_username = NULL;
+	bool upn_form = false;
+	int map_untrusted = lp_map_untrusted_to_domain();
+
+	if (client_domain[0] == '\0' && strchr(smb_name, '@')) {
+		upn_form = true;
+	}
 
 	was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
 	if (!internal_username) {
@@ -119,12 +125,35 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
 	DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
 		 client_domain, smb_name, workstation_name));
 
-	/*
-	 * We let the auth stack canonicalize, username
-	 * and domain.
-	 */
 	domain = client_domain;
 
+	/* If you connect to a Windows domain member using a bogus domain name,
+	 * the Windows box will map the BOGUS\user to SAMNAME\user.  Thus, if
+	 * the Windows box is a DC the name will become DOMAIN\user and be
+	 * authenticated against AD, if the Windows box is a member server but
+	 * not a DC the name will become WORKSTATION\user.  A standalone
+	 * non-domain member box will also map to WORKSTATION\user.
+	 * This also deals with the client passing in a "" domain */
+
+	if (map_untrusted != Auto && !upn_form &&
+	    !strequal(domain, my_sam_name()) &&
+	    !strequal(domain, get_global_sam_name()) &&
+	    !is_trusted_domain(domain))
+	{
+		if (map_untrusted) {
+			domain = my_sam_name();
+		} else {
+			domain = get_global_sam_name();
+		}
+		DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
+			  "workstation [%s]\n",
+			  client_domain, domain, smb_name, workstation_name));
+	}
+
+	/* We know that the given domain is trusted (and we are allowing them),
+	 * it is our global SAM name, or for legacy behavior it is our
+	 * primary domain name */
+
 	result = make_user_info(mem_ctx, user_info, smb_name, internal_username,
 				client_domain, domain, workstation_name,
 				remote_address, local_address,
diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
new file mode 100644
index 00000000000..f782a512204
--- /dev/null
+++ b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
@@ -0,0 +1,55 @@
+<samba:parameter name="map untrusted to domain"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_bool_auto"
+                 deprecated="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+    By default, and with <smbconfoption name="map untrusted to domain">auto</smbconfoption>
+    smbd will defer the decision whether the domain name provided by the
+    client is a valid domain name to the Domain Controller (DC) of
+    the domain it is a member of, if it is not a DC.  If the DC indicates
+    that the domain portion is unknown, then a local authentication is performed.
+    Standalone servers always ignore the domain.  This is basically the same as
+    the behavior implemented in Windows.
+    </para>
+
+    <para>
+    With <smbconfoption name="map untrusted to domain">no</smbconfoption>,
+    if a client connects to smbd using an untrusted domain name, such as
+    BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
+    (forcing local authentication) before
+    attempting to authenticate that user.  In the case where smbd is acting as
+    a NT4 PDC/BDC this will be DOMAIN\user.  In the case where smbd is acting as a
+    domain member server or a standalone server this will be WORKSTATION\user.
+    While this appears similar to the behaviour of
+    <smbconfoption name="map untrusted to domain">auto</smbconfoption>,
+    the difference is that smbd will use a cached (maybe incomplete) list
+    of trusted domains in order to classify a domain as "untrusted"
+    before contacting any DC first.
+    </para>
+
+    <para>
+    With <smbconfoption name="map untrusted to domain">yes</smbconfoption>,
+    smbd provides the legacy behavior matching that of versions of Samba pre 3.4:
+    the BOGUS domain name would always be replaced by the
+    primary domain before attempting to authenticate that user.
+    This will be DOMAIN\user in all server roles except active directory domain controller.
+    </para>
+
+    <para>
+    <smbconfoption name="map untrusted to domain">no</smbconfoption>,
+    was the default up to Samba 4.6.
+    </para>
+
+    <para>
+    <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added
+    and become the default with Samba 4.7.0. As the option is marked as
+    <constant>deprecated</constant> it will be removed in a future release, while the behavior of
+    <smbconfoption name="map untrusted to domain">auto</smbconfoption> will be kept.
+    </para>
+</description>
+
+<value type="default">auto</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index ddb45073b1b..508fa5a692d 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2840,6 +2840,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT);
 
+	lpcfg_do_global_parameter(lp_ctx, "map untrusted to domain", "auto");
+
 	lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto");
 
 	lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 5853c8f70c0..a34b3dbd1ad 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -867,6 +867,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
 	Globals.min_receivefile_size = 0;
 
+	Globals.map_untrusted_to_domain = Auto;
 	Globals.multicast_dns_register = true;
 
 	Globals.smb2_max_read = DEFAULT_SMB2_MAX_READ;