The Samba-Bugzilla – Bug 12419
AD access check function isn't IPv6-aware.
Last modified: 2016-11-15 13:36:00 UTC
From Heath Kehoe <firstname.lastname@example.org>:
We have an AD environment backed entirely by Samba4. We have a
remote location where I spun up a Samba4 instance and made it a DC.
The remote subnet is connected to our "main" subnet via VPN, with
both IPv4 and IPv6.
I set up an AD Site for the remote location and assigned the
appropriate subnets (both v4 and v6) to it. However, a Windows
client at the remote location never associated with the correct site,
in that 'nltest /dsgetsite' always returned the default site. Also,
that client would sometimes use a DC at the main site; and worse,
clients at the main site sometimes bound to the DC at the remote
site's DC causing long login times.
So I tracked down what Samba was doing to match a client to a site.
I found samdb_client_site_name() which in turn uses
socket_allow_access() which led to masked_match() in
source4/lib/socket/access.c that clearly only worked with IPv4
addresses. Since we are using IPv6, clients failed to be matched
to any site.
Created attachment 12656 [details]
git-am fix for master.