Problem figured out, need a bug to refer in a fix. With the change to move FreeIPA use of 'server role = primary classic domain controller' to a dedicated role at least one place was overlooked: schannel_server_start() needs to be extended with ROLE_IPA_DC as well. This omission prevents to complete NETLOGON_TC_VERIFY sequence when establishing forest trust between FreeIPA and Active Directory forest root. AD DC performs ServerAuthenticate3 request to which we positively respond but cannot marshal the response due to the bug mentioned above. [2021/11/12 11:41:15.236537, 3, pid=36211, effective(0, 0), real(0, 0)] ../../libcli/auth/schannel_state_tdb.c:130(schannel_store_session_key_tdb) schannel_store_session_key_tdb: stored schannel info with key SECRETS/SCHANNEL/AD1 [2021/11/12 11:41:15.236570, 1, pid=36211, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:429(ndr_print_debug) creds: struct netlogon_creds_CredentialState negotiate_flags : 0x411bc1ff (1092338175) 1: NETLOGON_NEG_ACCOUNT_LOCKOUT 1: NETLOGON_NEG_PERSISTENT_SAMREPL 1: NETLOGON_NEG_ARCFOUR 1: NETLOGON_NEG_PROMOTION_COUNT 1: NETLOGON_NEG_CHANGELOG_BDC 1: NETLOGON_NEG_FULL_SYNC_REPL 1: NETLOGON_NEG_MULTIPLE_SIDS 1: NETLOGON_NEG_REDO 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 0: NETLOGON_NEG_GENERIC_PASSTHROUGH 0: NETLOGON_NEG_CONCURRENT_RPC 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 1: NETLOGON_NEG_STRONG_KEYS 1: NETLOGON_NEG_TRANSITIVE_TRUSTS 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 1: NETLOGON_NEG_PASSWORD_SET2 0: NETLOGON_NEG_GETDOMAININFO 1: NETLOGON_NEG_CROSS_FOREST_TRUSTS 1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 0: NETLOGON_NEG_SUPPORTS_AES_SHA2 1: NETLOGON_NEG_SUPPORTS_AES 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 1: NETLOGON_NEG_AUTHENTICATED_RPC session_key : 7cf22f4749f7d8523cba143a512236b2 sequence : 0x00000000 (0) seed: struct netr_Credential data : c3cf649293b32eeb client: struct netr_Credential data : c3cf649293b32eeb server: struct netr_Credential data : 9a411ac703cad937 secure_channel_type : SEC_CHAN_DNS_DOMAIN (0x3) computer_name : 'AD1' account_name : 'win2019.test.' sid : * sid : S-1-5-21-3306425499-2542250174-3704382410-1008 [2021/11/12 11:41:15.236765, 4, pid=36211, effective(65534, 65534), real(65534, 0)] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 1 [2021/11/12 11:41:15.236803, 4, pid=36211, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2021/11/12 11:41:15.236819, 1, pid=36211, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:478(ndr_print_function_debug) netr_ServerAuthenticate3: struct netr_ServerAuthenticate3 out: struct netr_ServerAuthenticate3 return_credentials : * return_credentials: struct netr_Credential data : 9a411ac703cad937 negotiate_flags : * negotiate_flags : 0x411bc1ff (1092338175) 1: NETLOGON_NEG_ACCOUNT_LOCKOUT 1: NETLOGON_NEG_PERSISTENT_SAMREPL 1: NETLOGON_NEG_ARCFOUR 1: NETLOGON_NEG_PROMOTION_COUNT 1: NETLOGON_NEG_CHANGELOG_BDC 1: NETLOGON_NEG_FULL_SYNC_REPL 1: NETLOGON_NEG_MULTIPLE_SIDS 1: NETLOGON_NEG_REDO 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 0: NETLOGON_NEG_GENERIC_PASSTHROUGH 0: NETLOGON_NEG_CONCURRENT_RPC 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 1: NETLOGON_NEG_STRONG_KEYS 1: NETLOGON_NEG_TRANSITIVE_TRUSTS 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 1: NETLOGON_NEG_PASSWORD_SET2 0: NETLOGON_NEG_GETDOMAININFO 1: NETLOGON_NEG_CROSS_FOREST_TRUSTS 1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 0: NETLOGON_NEG_SUPPORTS_AES_SHA2 1: NETLOGON_NEG_SUPPORTS_AES 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 1: NETLOGON_NEG_AUTHENTICATED_RPC rid : * rid : 0x000003f0 (1008) result : NT_STATUS_OK [2021/11/12 11:41:15.237601, 10, pid=36211, effective(0, 0), real(0, 0)] ../../librpc/rpc/dcerpc_util.c:400(dcerpc_pull_auth_trailer) dcerpc_pull_auth_trailer: auth_pad_length 0 [2021/11/12 11:41:15.237642, 5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm) make_auth3_context_for_ntlm: Making default auth method list for server role = 'DC' [2021/11/12 11:41:15.237741, 5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match anonymous [2021/11/12 11:41:15.237755, 5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method anonymous has a valid init [2021/11/12 11:41:15.237765, 5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match sam [2021/11/12 11:41:15.237776, 5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method sam has a valid init [2021/11/12 11:41:15.237787, 5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match winbind [2021/11/12 11:41:15.237797, 5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method winbind has a valid init [2021/11/12 11:41:15.237810, 5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match sam_ignoredomain [2021/11/12 11:41:15.237821, 5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method sam_ignoredomain has a valid init [2021/11/12 11:41:15.238191, 3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register) GENSEC backend 'gssapi_spnego' registered [2021/11/12 11:41:15.238217, 3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register) GENSEC backend 'gssapi_krb5' registered [2021/11/12 11:41:15.238238, 3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2021/11/12 11:41:15.238288, 3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register) GENSEC backend 'spnego' registered [2021/11/12 11:41:15.238300, 3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register) GENSEC backend 'schannel' registered [2021/11/12 11:41:15.238310, 3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register) GENSEC backend 'naclrpc_as_system' registered [2021/11/12 11:41:15.238321, 3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2021/11/12 11:41:15.238334, 3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register) GENSEC backend 'ntlmssp' registered [2021/11/12 11:41:15.238345, 3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register) GENSEC backend 'ntlmssp_resume_ccache' registered [2021/11/12 11:41:15.238358, 3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register) GENSEC backend 'http_basic' registered [2021/11/12 11:41:15.238370, 3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register) GENSEC backend 'http_ntlm' registered [2021/11/12 11:41:15.238380, 3, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:1089(gensec_register) GENSEC backend 'http_negotiate' registered [2021/11/12 11:41:15.238498, 5, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:851(gensec_start_mech) Starting GENSEC mechanism schannel [2021/11/12 11:41:15.238511, 1, pid=36211, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:868(gensec_start_mech) Failed to start GENSEC server mech schannel: NT_STATUS_NOT_IMPLEMENTED [2021/11/12 11:41:15.238557, 3, pid=36211, effective(0, 0), real(0, 0)] ../../librpc/rpc/dcesrv_auth.c:186(dcesrv_auth_prepare_gensec) Failed to start GENSEC mechanism for DCERPC server: auth_type=68 (schannel), auth_level=6: NT_STATUS_NOT_IMPLEMENTED [2021/11/12 11:41:15.242753, 3, pid=36211, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/rpc_server.c:853(ncacn_terminate_connection) ncacn_terminate_connection: Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Looks like only the following two locations were missed: diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c index 0cdae141ead..6ebbe8f3179 100644 --- a/auth/gensec/schannel.c +++ b/auth/gensec/schannel.c @@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security) case ROLE_DOMAIN_BDC: case ROLE_DOMAIN_PDC: case ROLE_ACTIVE_DIRECTORY_DC: + case ROLE_IPA_DC: return NT_STATUS_OK; default: return NT_STATUS_NOT_IMPLEMENTED; diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c index 8d71b5252ab..ea92a22cbc9 100644 --- a/source3/rpc_server/lsa/srv_lsa_nt.c +++ b/source3/rpc_server/lsa/srv_lsa_nt.c @@ -683,6 +683,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p, switch (lp_server_role()) { case ROLE_DOMAIN_PDC: case ROLE_DOMAIN_BDC: + case ROLE_IPA_DC: name = get_global_sam_name(); sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid()); if (!sid) {
Created attachment 16992 [details] IPA-DC -- add missing checks Candidate patch. I am running a build to test it right now.
Yes, this patch fixed the problem for me and the process to establish trust moved further. I now have the working trust to AD with hardened Samba. [2021/11/12 12:56:16.073614, 1, pid=99118, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:478(ndr_print_function_debug) netr_ServerAuthenticate3: struct netr_ServerAuthenticate3 out: struct netr_ServerAuthenticate3 return_credentials : * return_credentials: struct netr_Credential data : f707cfe4fc84c1eb negotiate_flags : * negotiate_flags : 0x411bc1ff (1092338175) 1: NETLOGON_NEG_ACCOUNT_LOCKOUT 1: NETLOGON_NEG_PERSISTENT_SAMREPL 1: NETLOGON_NEG_ARCFOUR 1: NETLOGON_NEG_PROMOTION_COUNT 1: NETLOGON_NEG_CHANGELOG_BDC 1: NETLOGON_NEG_FULL_SYNC_REPL 1: NETLOGON_NEG_MULTIPLE_SIDS 1: NETLOGON_NEG_REDO 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 0: NETLOGON_NEG_GENERIC_PASSTHROUGH 0: NETLOGON_NEG_CONCURRENT_RPC 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 1: NETLOGON_NEG_STRONG_KEYS 1: NETLOGON_NEG_TRANSITIVE_TRUSTS 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 1: NETLOGON_NEG_PASSWORD_SET2 0: NETLOGON_NEG_GETDOMAININFO 1: NETLOGON_NEG_CROSS_FOREST_TRUSTS 1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 0: NETLOGON_NEG_SUPPORTS_AES_SHA2 1: NETLOGON_NEG_SUPPORTS_AES 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 1: NETLOGON_NEG_AUTHENTICATED_RPC rid : * rid : 0x000003f1 (1009) result : NT_STATUS_OK [2021/11/12 12:56:16.074463, 10, pid=99118, effective(0, 0), real(0, 0)] ../../librpc/rpc/dcerpc_util.c:400(dcerpc_pull_auth_trailer) dcerpc_pull_auth_trailer: auth_pad_length 0 [2021/11/12 12:56:16.074508, 5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:565(make_auth3_context_for_ntlm) make_auth3_context_for_ntlm: Making default auth method list for server role = 'DC' [2021/11/12 12:56:16.074532, 5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match anonymous [2021/11/12 12:56:16.074549, 5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method anonymous has a valid init [2021/11/12 12:56:16.074563, 5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match sam [2021/11/12 12:56:16.074578, 5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method sam has a valid init [2021/11/12 12:56:16.074593, 5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match winbind [2021/11/12 12:56:16.074606, 5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method winbind has a valid init [2021/11/12 12:56:16.074625, 5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:426(load_auth_module) load_auth_module: Attempting to find an auth method to match sam_ignoredomain [2021/11/12 12:56:16.074640, 5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:451(load_auth_module) load_auth_module: auth method sam_ignoredomain has a valid init [2021/11/12 12:56:16.075152, 5, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec_start.c:851(gensec_start_mech) Starting GENSEC mechanism schannel [2021/11/12 12:56:16.075295, 1, pid=99118, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:429(ndr_print_debug) creds: struct netlogon_creds_CredentialState negotiate_flags : 0x411bc1ff (1092338175) 1: NETLOGON_NEG_ACCOUNT_LOCKOUT 1: NETLOGON_NEG_PERSISTENT_SAMREPL 1: NETLOGON_NEG_ARCFOUR 1: NETLOGON_NEG_PROMOTION_COUNT 1: NETLOGON_NEG_CHANGELOG_BDC 1: NETLOGON_NEG_FULL_SYNC_REPL 1: NETLOGON_NEG_MULTIPLE_SIDS 1: NETLOGON_NEG_REDO 1: NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL 0: NETLOGON_NEG_SEND_PASSWORD_INFO_PDC 0: NETLOGON_NEG_GENERIC_PASSTHROUGH 0: NETLOGON_NEG_CONCURRENT_RPC 0: NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL 0: NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL 1: NETLOGON_NEG_STRONG_KEYS 1: NETLOGON_NEG_TRANSITIVE_TRUSTS 1: NETLOGON_NEG_DNS_DOMAIN_TRUSTS 1: NETLOGON_NEG_PASSWORD_SET2 0: NETLOGON_NEG_GETDOMAININFO 1: NETLOGON_NEG_CROSS_FOREST_TRUSTS 1: NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION 0: NETLOGON_NEG_RODC_PASSTHROUGH 0: NETLOGON_NEG_SUPPORTS_AES_SHA2 1: NETLOGON_NEG_SUPPORTS_AES 0: NETLOGON_NEG_AUTHENTICATED_RPC_LSASS 1: NETLOGON_NEG_AUTHENTICATED_RPC session_key : 5dc38219a6bfda179aa1cf88a5986a2c sequence : 0x00000000 (0) seed: struct netr_Credential data : 41b2a4a642c2f02e client: struct netr_Credential data : 41b2a4a642c2f02e server: struct netr_Credential data : f707cfe4fc84c1eb secure_channel_type : SEC_CHAN_DNS_DOMAIN (0x3) computer_name : 'AD1' account_name : 'win2019.test.' sid : * sid : S-1-5-21-3306425499-2542250174-3704382410-1009 [2021/11/12 12:56:16.075494, 3, pid=99118, effective(0, 0), real(0, 0)] ../../libcli/auth/schannel_state_tdb.c:199(schannel_fetch_session_key_tdb) schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/AD1 [2021/11/12 12:56:16.075537, 10, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:456(gensec_update_send) gensec_update_send: schannel[0x563e3d5dfb00]: subreq: 0x563e3d5d63e0 [2021/11/12 12:56:16.075572, 10, pid=99118, effective(0, 0), real(0, 0), class=auth] ../../auth/gensec/gensec.c:549(gensec_update_done) gensec_update_done: schannel[0x563e3d5dfb00]: NT_STATUS_OK tevent_req[0x563e3d5d63e0/../../auth/gensec/schannel.c:816]: state[2] error[0 (0x0)] state[struct schannel_update_state (0x563e3d5d65a0)] timer[(nil)] finish[../../auth/gensec/schannel.c:832] [2021/11/12 12:56:16.075665, 5, pid=99118, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:753(log_successful_authz_event_human_readable) Successful AuthZ: [DCE/RPC,schannel] user [NT AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Fri, 12 Nov 2021 12:56:16.075649 EST] Remote host [ipv4:10.0.96.138:62335] local host [ipv4:10.0.96.44:49152] {"timestamp": "2021-11-12T12:56:16.075718-0500", "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress": "ipv4:10.0.96.44:49152", "remoteAddress": "ipv4:10.0.96.138:62335", "serviceDescription": "DCE/RPC", "authType": "schannel", "domain": "NT AUTHORITY", "account": "ANONYMOUS LOGON", "sid": "S-1-5-7", "sessionId": "862f0805-eb22-4920-b2f9-96584f87aa73", "logonServer": "MASTER", "transportProtection": "SEAL", "accountFlags": "0x00000010"}} [2021/11/12 12:56:16.076355, 10, pid=99118, effective(0, 0), real(0, 0)] ../../librpc/rpc/dcerpc_util.c:400(dcerpc_pull_auth_trailer) dcerpc_pull_auth_trailer: auth_pad_length 12 [2021/11/12 12:56:16.076448, 4, pid=99118, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2021/11/12 12:56:16.076468, 4, pid=99118, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (65534, 65534) - sec_ctx_stack_ndx = 1 [2021/11/12 12:56:16.076484, 5, pid=99118, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:52(security_token_debug) Security token SIDs (5): SID[ 0]: S-1-5-7 SID[ 1]: S-1-1-0 SID[ 2]: S-1-5-2 SID[ 3]: S-1-22-1-65534 SID[ 4]: S-1-22-2-65534 Privileges (0x 0): Rights (0x 0):
Created attachment 16993 [details] backport to 4.15
This bug was referenced in samba master: c69b66f649c1d47a7367f7efe25b8df32369a3a5
Backport to 4.15 attached. Version for 4.14 is the same: diff -u 0001-v4.15-IPA-DC-add-missing-checks.patch 0001-v4.14-IPA-DC-add-missing-checks.patch --- 0001-v4.15-IPA-DC-add-missing-checks.patch 2021-11-13 10:08:45.027426534 +0200 +++ 0001-v4.14-IPA-DC-add-missing-checks.patch 2021-11-13 10:11:11.430310279 +0200 @@ -1,4 +1,4 @@ -From 9fcb21d4a34342ecea8ad8d374bbc5ee49a585ce Mon Sep 17 00:00:00 2001 +From c11dab13dd30af3e0beb69e8d47c3bfd85e18a91 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <ab@samba.org> Date: Fri, 12 Nov 2021 19:06:01 +0200 Subject: [PATCH] IPA DC: add missing checks so I am not attaching it, we should apply this fix to all backports.
Jule, please apply the patch to v4.15. Thanks!
Alexander, It should be applied to 4.15, 4.14 and 4.13?
Yes, to 4.15-4.13
Comment on attachment 16993 [details] backport to 4.15 LGTM, thanks!
(In reply to Andreas Schneider from comment #7) Pushed to autobuild-v4-15-test. What about the patch for 4.14? 4.13 is in security fixes only mode.
(In reply to Jule Anger from comment #11) > (In reply to Andreas Schneider from comment #7) > Pushed to autobuild-v4-15-test. > > What about the patch for 4.14? 4.13 is in security fixes only mode. the same attached patch applies to all versions down to 4.11 or even 4.10. Please commit it to 4.14.
If we are going to make any other security release on 4.13 branch, then this patch is needed for 4.13 or otherwise it is going to be a regression once Fedora or RHEL considers a rebase of that. Fedora 33 is built on samba 4.13.
Okay, thanks for the explanation. Pushed also to autobuild-v4-{14,13}-test.
Thank you, Jule! This will save a lot of time, very much appreciated!
This bug was referenced in samba v4-15-test: 0d3842697b44a821ccfba72b35fbbde2804c59cf
This bug was referenced in samba v4-13-test: fadf49634500a08392f0625db4062d993ccb0b0a
This bug was referenced in samba v4-14-test: 75ab0a306fc78a9fc49c98325eadcf381b54e948
Closing out bug report. Thanks!
This bug was referenced in samba v4-15-stable (Release samba-4.15.3): 0d3842697b44a821ccfba72b35fbbde2804c59cf
This bug was referenced in samba v4-13-stable (Release samba-4.13.15): fadf49634500a08392f0625db4062d993ccb0b0a
This bug was referenced in samba v4-14-stable (Release samba-4.14.11): 75ab0a306fc78a9fc49c98325eadcf381b54e948