Bug 12419 - AD access check function isn't IPv6-aware.
AD access check function isn't IPv6-aware.
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
unspecified
All All
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-11 04:59 UTC by Jeremy Allison
Modified: 2016-11-15 13:36 UTC (History)
1 user (show)

See Also:


Attachments
git-am fix for master. (35.04 KB, patch)
2016-11-11 18:50 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2016-11-11 04:59:07 UTC
From Heath Kehoe <heath@digitalartefacts.com>:

We have an AD environment backed entirely by Samba4. We have a
remote location where I spun up a Samba4 instance and made it a DC.
The remote subnet is connected to our "main" subnet via VPN, with
both IPv4 and IPv6.

I set up an AD Site for the remote location and assigned the
appropriate subnets (both v4 and v6) to it. However, a Windows
client at the remote location never associated with the correct site,
in that 'nltest /dsgetsite' always returned the default site. Also,
that client would sometimes use a DC at the main site; and worse,
clients at the main site sometimes bound to the DC at the remote
site's DC causing long login times.

So I tracked down what Samba was doing to match a client to a site.
I found samdb_client_site_name() which in turn uses
socket_allow_access() which led to masked_match() in
source4/lib/socket/access.c that clearly only worked with IPv4
addresses. Since we are using IPv6, clients failed to be matched
to any site.
Comment 1 Jeremy Allison 2016-11-11 18:50:06 UTC
Created attachment 12656 [details]
git-am fix for master.

Test patch.