bool upn_form = false;

	int map_untrusted = lp_map_untrusted_to_domain();

	if (client_domain[0] == '\0' && strchr(smb_name, '@')) {

		upn_form = true;

	}

	/* If you connect to a Windows domain member using a bogus domain name,

	 * the Windows box will map the BOGUS\user to SAMNAME\user.  Thus, if

	 * the Windows box is a DC the name will become DOMAIN\user and be

	 * authenticated against AD, if the Windows box is a member server but

	 * not a DC the name will become WORKSTATION\user.  A standalone

	 * non-domain member box will also map to WORKSTATION\user.

	 * This also deals with the client passing in a "" domain */

	if (map_untrusted != Auto && !upn_form &&

	    !strequal(domain, my_sam_name()) &&

	    !strequal(domain, get_global_sam_name()) &&

	    !is_trusted_domain(domain))

	{

		if (map_untrusted) {

			domain = my_sam_name();

		} else {

			domain = get_global_sam_name();

		}

		DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "

			  "workstation [%s]\n",

			  client_domain, domain, smb_name, workstation_name));

	}

	/* We know that the given domain is trusted (and we are allowing them),

	 * it is our global SAM name, or for legacy behavior it is our

	 * primary domain name */

<samba:parameter name="map untrusted to domain"

                 context="G"

                 type="enum"

                 enumlist="enum_bool_auto"

                 deprecated="1"

                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">

<description>

    <para>

    By default, and with <smbconfoption name="map untrusted to domain">auto</smbconfoption>

    smbd will defer the decision whether the domain name provided by the

    client is a valid domain name to the Domain Controller (DC) of

    the domain it is a member of, if it is not a DC.  If the DC indicates

    that the domain portion is unknown, then a local authentication is performed.

    Standalone servers always ignore the domain.  This is basically the same as

    the behavior implemented in Windows.

    </para>

    <para>

    With <smbconfoption name="map untrusted to domain">no</smbconfoption>,

    if a client connects to smbd using an untrusted domain name, such as

    BOGUS\user, smbd replaces the BOGUS domain with it's SAM name

    (forcing local authentication) before

    attempting to authenticate that user.  In the case where smbd is acting as

    a NT4 PDC/BDC this will be DOMAIN\user.  In the case where smbd is acting as a

    domain member server or a standalone server this will be WORKSTATION\user.

    While this appears similar to the behaviour of

    <smbconfoption name="map untrusted to domain">auto</smbconfoption>,

    the difference is that smbd will use a cached (maybe incomplete) list

    of trusted domains in order to classify a domain as "untrusted"

    before contacting any DC first.

    </para>

    <para>

    With <smbconfoption name="map untrusted to domain">yes</smbconfoption>,

    smbd provides the legacy behavior matching that of versions of Samba pre 3.4:

    the BOGUS domain name would always be replaced by the

    primary domain before attempting to authenticate that user.

    This will be DOMAIN\user in all server roles except active directory domain controller.

    </para>

    <para>

    <smbconfoption name="map untrusted to domain">no</smbconfoption>,

    was the default up to Samba 4.6.

    </para>

    <para>

    <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added

    and become the default with Samba 4.7.0. As the option is marked as

    <constant>deprecated</constant> it will be removed in a future release, while the behavior of

    <smbconfoption name="map untrusted to domain">auto</smbconfoption> will be kept.

    </para>

</description>

<value type="default">auto</value>

</samba:parameter>

	lpcfg_do_global_parameter(lp_ctx, "map untrusted to domain", "auto");

	Globals.map_untrusted_to_domain = Auto;