Bug 12419 - AD access check function isn't IPv6-aware.
Summary: AD access check function isn't IPv6-aware.
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-11-11 04:59 UTC by Jeremy Allison
Modified: 2018-01-24 10:14 UTC (History)
1 user (show)

See Also:

git-am fix for master. (35.04 KB, patch)
2016-11-11 18:50 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2016-11-11 04:59:07 UTC
From Heath Kehoe <heath@digitalartefacts.com>:

We have an AD environment backed entirely by Samba4. We have a
remote location where I spun up a Samba4 instance and made it a DC.
The remote subnet is connected to our "main" subnet via VPN, with
both IPv4 and IPv6.

I set up an AD Site for the remote location and assigned the
appropriate subnets (both v4 and v6) to it. However, a Windows
client at the remote location never associated with the correct site,
in that 'nltest /dsgetsite' always returned the default site. Also,
that client would sometimes use a DC at the main site; and worse,
clients at the main site sometimes bound to the DC at the remote
site's DC causing long login times.

So I tracked down what Samba was doing to match a client to a site.
I found samdb_client_site_name() which in turn uses
socket_allow_access() which led to masked_match() in
source4/lib/socket/access.c that clearly only worked with IPv4
addresses. Since we are using IPv6, clients failed to be matched
to any site.
Comment 1 Jeremy Allison 2016-11-11 18:50:06 UTC
Created attachment 12656 [details]
git-am fix for master.

Test patch.
Comment 2 Björn Jacke 2018-01-24 10:14:46 UTC
this patch is in master and in realeases since 4.6.