The Samba-Bugzilla – Attachment 18682 Details for
Bug 15891
Figuring out the DC name from IP address fails and breaks fork_domain_child()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.22 and 4.21
v4-22-test-fix_ipa_dc.patch (text/plain), 6.07 KB, created by
Andreas Schneider
on 2025-08-06 08:09:53 UTC
(
hide
)
Description:
patch for 4.22 and 4.21
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2025-08-06 08:09:53 UTC
Size:
6.07 KB
patch
obsolete
>From e259c6c4bb84129fb996d635078505bf017f9300 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Wed, 23 Jul 2025 15:09:21 +0200 >Subject: [PATCH 1/4] s3:winbindd: Resolve dc name using CLDAP also for > ROLE_IPA_DC >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >server role ROLE_IPA_DC (introduced in e2d5b4d) needs special handling >in dcip_check_name(). We should resolve the DC name using: >- CLDAP in dcip_check_name_ads() >instead of: >- NETBIOS in nbt_getdc() that fails if Windows is not providing netbios. > >The impacted environment has: > >domain->alt_name = example.com >domain->active_directory = 1 >security = USER >server role = ROLE_IPA_DC > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Pair-programmed-with: Andreas Schneider <asn@samba.org> > >Reviewed-by: Alexander Bokovoy <ab@samba.org> >(cherry picked from commit 4921c3304e5e0480e5bb80a757b3f04b3b92c3b1) >--- > source3/winbindd/winbindd_cm.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index 741761f606b..a14f42001e9 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -1098,7 +1098,9 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx, > > if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) { > is_ad_domain = true; >- } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) { >+ } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || >+ lp_server_role() == ROLE_IPA_DC) >+ { > is_ad_domain = domain->active_directory; > } > >-- >2.50.1 > > >From 9adbba3fc68f1f04abaf8e9877795699f72cd9d1 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Mon, 4 Aug 2025 08:35:29 +0200 >Subject: [PATCH 2/4] docs-xml: Make smb.conf 'server role' value consistent > with ROLE_IPA_DC in libparam >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit d88268102ade07fab345e04109818d97d8843a14) >--- > docs-xml/smbdotconf/security/serverrole.xml | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml >index 4ea4e4751ee..40244e125ce 100644 >--- a/docs-xml/smbdotconf/security/serverrole.xml >+++ b/docs-xml/smbdotconf/security/serverrole.xml >@@ -78,7 +78,7 @@ > url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4 > HOWTO</ulink></para> > >- <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN CONTROLLER</emphasis></para> >+ <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA PRIMARY DOMAIN CONTROLLER</emphasis></para> > > <para>This mode of operation runs Samba in a hybrid mode for IPA > domain controller, providing forest trust to Active Directory. >-- >2.50.1 > > >From 4802593cc90a690c48d8b7c820a20386f51d3092 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Mon, 4 Aug 2025 23:26:02 +0200 >Subject: [PATCH 3/4] s3:netlogon: IPA DC is the PDC as well - allow > ROLE_IPA_DC in _netr_DsRGetForestTrustInformation() >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 1dbafcc4e4ff8f39af5ca737b30e9821413dd1f2) >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index 896e4e60d5a..c3759a558ca 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -2655,7 +2655,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p, > return WERR_INVALID_FLAGS; > } > >- if ((r->in.flags & DS_GFTI_UPDATE_TDO) && (lp_server_role() != ROLE_DOMAIN_PDC)) { >+ if ((r->in.flags & DS_GFTI_UPDATE_TDO) && >+ (lp_server_role() != ROLE_DOMAIN_PDC) && >+ (lp_server_role() != ROLE_IPA_DC)) >+ { > p->fault_state = DCERPC_FAULT_OP_RNG_ERROR; > return WERR_NERR_NOTPRIMARY; > } >-- >2.50.1 > > >From e742e3ebfddd1cc0028f5da4b7c78f60ffd03de9 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Mon, 4 Aug 2025 23:28:24 +0200 >Subject: [PATCH 4/4] s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in > gensec >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Tue Aug 5 14:51:51 UTC 2025 on atb-devel-224 > >(cherry picked from commit a4dff82e45308db3ccabac2a55c03d52f04d7b4d) >--- > source3/utils/ntlm_auth.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > >diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c >index 905f33840b1..d39956c3bee 100644 >--- a/source3/utils/ntlm_auth.c >+++ b/source3/utils/ntlm_auth.c >@@ -1355,7 +1355,11 @@ static NTSTATUS ntlm_auth_prepare_gensec_server(TALLOC_CTX *mem_ctx, > > cli_credentials_set_conf(server_credentials, lp_ctx); > >- if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) { >+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || >+ lp_server_role() == ROLE_IPA_DC || >+ lp_security() == SEC_ADS || >+ USE_KERBEROS_KEYTAB) >+ { > cli_credentials_set_kerberos_state(server_credentials, > CRED_USE_KERBEROS_DESIRED, > CRED_SPECIFIED); >-- >2.50.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18682">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
ab
:
review+
Actions:
View
Attachments on
bug 15891
: 18682