--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: sa...@packages.debian.org, pkg-samba-ma...@lists.alioth.debian.org
Control: affects -1 + src:samba
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package samba
[ Reason ]
This is an upstream stable/bugfix release, with usual-for-samba
carefully picked up bugfixes. This time, there are just a few
bugfixes, and a change which is needed for upcoming (Jul-08)
update of Microsoft Active Directory Domain Controller security
improvements. When samba acts as a member of MS AD, in some
configurations, it wont function anymore after the windows update.
See #1108904 (https://bugzilla.samba.org/show_bug.cgi?id=15876)
for more information about this issue.
Additionally there's a tiny change in debian packaging, - I replaced
FSF postal address with a gnu.org URL.
[ Tests ]
This release passes usual samba testsuite. Additionally, I verified
basic functionality in our internal AD domain, there's no obvious
regressions (and some improvements).
[ Risks ]
Usually samba stable updates are of low risk. This one seems to be
of the same category.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
there's a set of logical commits between samba 4.22.2 and 4.22.3 releases,
see https://salsa.debian.org/samba-team/samba/-/commits/upstream_4.22
(all commits between samba-4.22.2 and samba-4.22.3 tags). This is the
difference in the debdiff.
Debdiff is below.
unblock samba/2:4.22.3+dfsg-1
Thanks,
/mjt
diff -Nru samba-4.22.2+dfsg/VERSION samba-4.22.3+dfsg/VERSION
--- samba-4.22.2+dfsg/VERSION 2025-06-05 18:38:33.686580400 +0300
+++ samba-4.22.3+dfsg/VERSION 2025-07-07 19:18:35.329030000 +0300
@@ -27,7 +27,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=22
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
diff -Nru samba-4.22.2+dfsg/WHATSNEW.txt samba-4.22.3+dfsg/WHATSNEW.txt
--- samba-4.22.2+dfsg/WHATSNEW.txt 2025-06-05 18:38:33.686580400 +0300
+++ samba-4.22.3+dfsg/WHATSNEW.txt 2025-07-07 19:18:35.329030000 +0300
@@ -1,4 +1,89 @@
==============================
+ Release Notes for Samba 4.22.3
+ July 07, 2025
+ ==============================
+
+
+This is the latest stable release of the Samba 4.22 release series.
+
+
+Important Change in Upcoming Microsoft Update
+---------------------------------------------
+
+On 8th of July, Microsoft will release an important security update for
+Active Directory Domain Controllers for Windows Server versions prior to
+2025.
+
+This update includes a change to the Microsoft RPC Netlogon protocol,
+which improves security by tightening access checks for a set of RPC
+requests. Samba running as domain members in these environments will be
+impacted by this change if a specific configuration is used, see below
+for which configuration is affected.
+
+Windows Server version 2025 is already equipped with these specific
+security hardenings, and Microsoft is now planning to deploy them to all
+supported Windows Server versions down to Windows Server 2008.
+
+
+Who is affected?
+
+Samba installations acting as member servers in Windows AD domains will
+be affected if they are configured to use the 'ad' idmapping backend.
+Samba servers not using this configuration will not be affected by the
+change – at least to our current knowledge and understanding of the
+change – and no further action is required.
+
+Current versions of Samba with the affected configuration will no longer
+function correctly once the Microsoft update has been applied. Users
+will not be able to connect to the SMB service provided by Samba for any
+domain configured to use the 'ad' idmapping backend.
+
+See https://bugzilla.samba.org/show_bug.cgi?id=15876.
+
+
+Changes since 4.22.2
+--------------------
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 15854: samba-tool cannot add user to group whose name is exactly 16
+ characters long.
+
+o Günther Deschner <g...@samba.org>
+ * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+ calls like netr_DsRGetDCName.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc
+ calls like netr_DsRGetDCName.
+
+o Andreas Schneider <a...@samba.org>
+ * BUG 15869: Startup messages of rpc deamons fills /var/log/messages.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+ ==============================
Release Notes for Samba 4.22.2
June 05, 2025
==============================
@@ -80,8 +165,7 @@
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.22.1
April 17, 2025
diff -Nru samba-4.22.2+dfsg/debian/changelog samba-4.22.3+dfsg/debian/changelog
--- samba-4.22.2+dfsg/debian/changelog 2025-06-05 19:12:34.000000000 +0300
+++ samba-4.22.3+dfsg/debian/changelog 2025-07-07 23:16:23.000000000 +0300
@@ -1,3 +1,21 @@
+samba (2:4.22.3+dfsg-1) unstable; urgency=medium
+
+ * new upstream stable/bugfix release, mostly targetting the Jul-08 update
+ for Active Directory Domain Controllers
+ (https://bugzilla.samba.org/show_bug.cgi?id=15876, Closes: #1108904):
+ - https://bugzilla.samba.org/show_bug.cgi?id=15854:
+ samba-tool cannot add user to group whose name
+ is exactly 16 characters long
+ - https://bugzilla.samba.org/show_bug.cgi?id=15869:
+ Startup messages of rpc daemons fills /var/log/messages
+ - https://bugzilla.samba.org/show_bug.cgi?id=15876:
+ Windows security hardening locks out schannel'ed netlogon
+ dc calls like netr_DsRGetDCName
+ * update d/copyright to point to https://www.gnu.org/licenses/
+ instead of FSF postal address
+
+ -- Michael Tokarev <m...@tls.msk.ru> Mon, 07 Jul 2025 23:16:23 +0300
+
samba (2:4.22.2+dfsg-1) unstable; urgency=medium
* new upstream stable/bugfix release:
diff -Nru samba-4.22.2+dfsg/debian/control samba-4.22.3+dfsg/debian/control
--- samba-4.22.2+dfsg/debian/control 2025-06-05 18:53:51.000000000 +0300
+++ samba-4.22.3+dfsg/debian/control 2025-07-07 23:16:23.000000000 +0300
@@ -84,7 +84,7 @@
Pre-Depends: ${misc:Pre-Depends}
Depends: passwd,
procps,
- samba-common (= ${source:Version}),
+ samba-common,
samba-common-bin (=${binary:Version}),
${misc:Depends},
${python3:Depends},
@@ -176,7 +176,7 @@
Package: samba-common-bin
Architecture: any
-Depends: samba-common (= ${source:Version}),
+Depends: samba-common,
${misc:Depends},
${python3:Depends},
${shlibs:Depends}
@@ -258,7 +258,7 @@
Package: smbclient
Architecture: any
-Depends: samba-common (= ${source:Version}),
+Depends: samba-common,
samba-libs (= ${binary:Version}),
${misc:Depends},
${shlibs:Depends}
@@ -476,7 +476,7 @@
Pre-Depends: ${misc:Pre-Depends}
Architecture: any
Multi-Arch: allowed
-Depends: samba-common (= ${source:Version}),
+Depends: samba-common,
samba-common-bin (=${binary:Version}),
# wbinfo (linked with libwbclient) which should use the same protocol
libwbclient0 (=${binary:Version}),
diff -Nru samba-4.22.2+dfsg/debian/copyright samba-4.22.3+dfsg/debian/copyright
--- samba-4.22.2+dfsg/debian/copyright 2025-06-05 18:53:51.000000000 +0300
+++ samba-4.22.3+dfsg/debian/copyright 2025-07-07 23:16:23.000000000 +0300
@@ -90,8 +90,7 @@
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ along with this program; If not, see https://www.gnu.org/licenses/.
.
On Debian systems, the full text of the GPL v3 can be found in
/usr/share/common-licenses/GPL-3
diff -Nru samba-4.22.2+dfsg/lib/util/debug.c samba-4.22.3+dfsg/lib/util/debug.c
--- samba-4.22.2+dfsg/lib/util/debug.c 2025-02-06 13:31:54.176146500 +0300
+++ samba-4.22.3+dfsg/lib/util/debug.c 2025-07-07 19:18:35.393030600 +0300
@@ -95,6 +95,7 @@
bool reopening_logs;
bool schedule_reopen_logs;
int forced_log_priority;
+ bool disable_syslog;
struct debug_settings settings;
debug_callback_fn callback;
@@ -302,6 +303,10 @@
{
int priority;
+ if (state.disable_syslog) {
+ return;
+ }
+
priority = debug_level_to_priority(msg_level);
/*
@@ -1124,6 +1129,16 @@
state.forced_log_priority = forced_log_priority;
}
+void debug_disable_syslog(void)
+{
+ state.disable_syslog = true;
+}
+
+void debug_enable_syslog(void)
+{
+ state.disable_syslog = false;
+}
+
/**
* Ensure debug logs are initialised.
*
diff -Nru samba-4.22.2+dfsg/lib/util/debug.h samba-4.22.3+dfsg/lib/util/debug.h
--- samba-4.22.2+dfsg/lib/util/debug.h 2025-02-06 13:31:54.176146500 +0300
+++ samba-4.22.3+dfsg/lib/util/debug.h 2025-07-07 19:18:35.393030600 +0300
@@ -276,9 +276,16 @@
#define DBGLVL_INFO 5 /* informational message */
#define DBGLVL_DEBUG 10 /* debug-level message */
+/*
+ * Logging to syslog will be disabled as messages on debug level 0 are always
+ * reported to syslog too. We don't want to clutter the syslog with startup
+ * messages from rpc on demand daemons.
+ */
#define DBG_STARTUP_NOTICE(...) do { \
debug_set_forced_log_priority(DBGLVL_NOTICE); \
+ debug_disable_syslog(); \
D_ERR(__VA_ARGS__); \
+ debug_enable_syslog(); \
debug_set_forced_log_priority(-1); \
} while(0)
@@ -362,6 +369,8 @@
int syslog_level, bool syslog_only);
void debug_set_hostname(const char *name);
void debug_set_forced_log_priority(int forced_log_priority);
+void debug_disable_syslog(void);
+void debug_enable_syslog(void);
bool reopen_logs_internal( void );
void force_check_log_size( void );
bool need_to_check_log_size( void );
diff -Nru samba-4.22.2+dfsg/python/samba/samdb.py
samba-4.22.3+dfsg/python/samba/samdb.py
--- samba-4.22.2+dfsg/python/samba/samdb.py 2025-02-06 13:31:54.316147300
+0300
+++ samba-4.22.3+dfsg/python/samba/samdb.py 2025-07-07 19:18:35.393030600
+0300
@@ -35,6 +35,7 @@
from samba.common import get_bytes, cmp
from samba.dcerpc import security
from samba import is_ad_dc_built
+from samba import string_is_guid
from samba import NTSTATUSError, ntstatus
import binascii
@@ -388,6 +389,13 @@
partial_groupfilter = None
+ # If <group> looks like a SID, GUID, or DN, we use it
+ # accordingly, otherwise as a name.
+ #
+ # Because misc.GUID() will read any 16 byte sequence as a
+ # binary guid, we need to be careful not to read 16 character
+ # names as GUIDs.
+
group_sid = None
try:
group_sid = security.dom_sid(group)
@@ -397,7 +405,7 @@
partial_groupfilter = "(objectClass=*)"
group_guid = None
- if partial_groupfilter is None:
+ if partial_groupfilter is None and string_is_guid(group):
try:
group_guid = misc.GUID(group)
except NTSTATUSError as e:
diff -Nru samba-4.22.2+dfsg/python/samba/tests/samba_tool/group.py
samba-4.22.3+dfsg/python/samba/tests/samba_tool/group.py
--- samba-4.22.2+dfsg/python/samba/tests/samba_tool/group.py 2025-02-06
13:31:54.360147700 +0300
+++ samba-4.22.3+dfsg/python/samba/tests/samba_tool/group.py 2025-07-07
19:18:35.397030600 +0300
@@ -38,7 +38,8 @@
self.groups.append(self._randomGroup({"name": "testgroup1"}))
self.groups.append(self._randomGroup({"name": "testgroup2"}))
self.groups.append(self._randomGroup({"name": "testgroup3"}))
- self.groups.append(self._randomGroup({"name": "testgroup4"}))
+ self.groups.append(self._randomGroup(
+ {"name": "16 character name for bug 15854"[:16]}))
self.groups.append(self._randomGroup({"name": "testgroup5 (with
brackets)"}))
self.groups.append(self._randomPosixGroup({"name": "posixgroup1"}))
self.groups.append(self._randomPosixGroup({"name": "posixgroup2"}))
@@ -334,6 +335,20 @@
name = str(groupobj.get("dn", idx=0))
self.assertMatch(out, name, "group '%s' not found" % name)
+ def test_addmember(self):
+ groups = [g['name'] for g in self.groups]
+ for parent, child in zip(groups, groups[1:]):
+ (result, out, err) = self.runsubcmd(
+ "group", "addmembers", parent, child)
+ self.assertCmdSuccess(result, out, err)
+
+ (result, out, err) = self.runsubcmd(
+ "group", "addmembers", groups[-1], ','.join(groups[:-1]))
+ self.assertCmdSuccess(result, out, err)
+
+ (result, out, err) = self.runsubcmd(
+ "group", "addmembers", groups[0], "alice,bob")
+ self.assertCmdSuccess(result, out, err)
def test_move(self):
full_ou_dn = str(self.samdb.normalize_dn_in_domain("OU=movetest_grp"))
diff -Nru samba-4.22.2+dfsg/source3/winbindd/wb_queryuser.c
samba-4.22.3+dfsg/source3/winbindd/wb_queryuser.c
--- samba-4.22.2+dfsg/source3/winbindd/wb_queryuser.c 2025-02-06
13:31:54.616149200 +0300
+++ samba-4.22.3+dfsg/source3/winbindd/wb_queryuser.c 2025-07-07
19:18:35.397030600 +0300
@@ -289,10 +289,19 @@
if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
!state->tried_dclookup) {
- D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling
wb_dsgetdcname_send()\n");
- subreq = wb_dsgetdcname_send(
- state, state->ev, state->info->domain_name, NULL, NULL,
- DS_RETURN_DNS_NAME);
+ const char *domain_name = find_dns_domain_name(
+ state->info->domain_name);
+
+ D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling "
+ "wb_dsgetdcname_send(%s)\n",
+ domain_name);
+
+ subreq = wb_dsgetdcname_send(state,
+ state->ev,
+ domain_name,
+ NULL,
+ NULL,
+ DS_RETURN_DNS_NAME);
if (tevent_req_nomem(subreq, req)) {
return;
}
diff -Nru samba-4.22.2+dfsg/source3/winbindd/wb_sids2xids.c
samba-4.22.3+dfsg/source3/winbindd/wb_sids2xids.c
--- samba-4.22.2+dfsg/source3/winbindd/wb_sids2xids.c 2025-02-06
13:31:54.616149200 +0300
+++ samba-4.22.3+dfsg/source3/winbindd/wb_sids2xids.c 2025-07-07
19:18:35.397030600 +0300
@@ -612,13 +612,22 @@
!state->tried_dclookup) {
struct lsa_DomainInfo *d;
+ const char *domain_name = NULL;
- D_DEBUG("Domain controller not found. Calling
wb_dsgetdcname_send() to get it.\n");
d = &state->idmap_doms.domains[state->dom_index];
- subreq = wb_dsgetdcname_send(
- state, state->ev, d->name.string, NULL, NULL,
- DS_RETURN_DNS_NAME);
+ domain_name = find_dns_domain_name(d->name.string);
+
+ D_DEBUG("Domain controller not found. Calling "
+ "wb_dsgetdcname_send(%s) to get it.\n",
+ domain_name);
+
+ subreq = wb_dsgetdcname_send(state,
+ state->ev,
+ domain_name,
+ NULL,
+ NULL,
+ DS_RETURN_DNS_NAME);
if (tevent_req_nomem(subreq, req)) {
return;
}
diff -Nru samba-4.22.2+dfsg/source3/winbindd/wb_xids2sids.c
samba-4.22.3+dfsg/source3/winbindd/wb_xids2sids.c
--- samba-4.22.2+dfsg/source3/winbindd/wb_xids2sids.c 2025-02-06
13:31:54.616149200 +0300
+++ samba-4.22.3+dfsg/source3/winbindd/wb_xids2sids.c 2025-07-07
19:18:35.397030600 +0300
@@ -143,9 +143,15 @@
if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) &&
!state->tried_dclookup) {
- subreq = wb_dsgetdcname_send(
- state, state->ev, state->dom_map->name, NULL, NULL,
- DS_RETURN_DNS_NAME);
+ const char *domain_name = find_dns_domain_name(
+ state->dom_map->name);
+
+ subreq = wb_dsgetdcname_send(state,
+ state->ev,
+ domain_name,
+ NULL,
+ NULL,
+ DS_RETURN_DNS_NAME);
if (tevent_req_nomem(subreq, req)) {
return;
}
diff -Nru samba-4.22.2+dfsg/source3/winbindd/winbindd_cm.c
samba-4.22.3+dfsg/source3/winbindd/winbindd_cm.c
--- samba-4.22.2+dfsg/source3/winbindd/winbindd_cm.c 2025-02-20
15:58:50.541505000 +0300
+++ samba-4.22.3+dfsg/source3/winbindd/winbindd_cm.c 2025-07-07
19:18:35.401030500 +0300
@@ -475,140 +475,6 @@
return ret;
}
-static bool get_dc_name_via_netlogon(struct winbindd_domain *domain,
- fstring dcname,
- struct sockaddr_storage *dc_ss,
- uint32_t request_flags)
-{
- struct winbindd_domain *our_domain = NULL;
- struct rpc_pipe_client *netlogon_pipe = NULL;
- NTSTATUS result;
- WERROR werr;
- TALLOC_CTX *mem_ctx;
- unsigned int orig_timeout;
- const char *tmp = NULL;
- const char *p;
- struct dcerpc_binding_handle *b;
-
- /* Hmmmm. We can only open one connection to the NETLOGON pipe at the
- * moment.... */
-
- if (IS_DC) {
- return False;
- }
-
- if (domain->primary) {
- return False;
- }
-
- our_domain = find_our_domain();
-
- if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) {
- return False;
- }
-
- result = cm_connect_netlogon(our_domain, &netlogon_pipe);
- if (!NT_STATUS_IS_OK(result)) {
- talloc_destroy(mem_ctx);
- return False;
- }
-
- b = netlogon_pipe->binding_handle;
-
- /* This call can take a long time - allow the server to time out.
- 35 seconds should do it. */
-
- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
-
- if (our_domain->active_directory) {
- struct netr_DsRGetDCNameInfo *domain_info = NULL;
-
- /*
- * TODO request flags are not respected in the server
- * (and in some cases, like REQUIRE_PDC, causes an error)
- */
- result = dcerpc_netr_DsRGetDCName(b,
- mem_ctx,
- our_domain->dcname,
- domain->name,
- NULL,
- NULL,
-
request_flags|DS_RETURN_DNS_NAME,
- &domain_info,
- &werr);
- if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) {
- tmp = talloc_strdup(
- mem_ctx, domain_info->dc_unc);
- if (tmp == NULL) {
- DBG_ERR("talloc_strdup failed for dc_unc[%s]\n",
- domain_info->dc_unc);
- talloc_destroy(mem_ctx);
- return false;
- }
- if (domain->alt_name == NULL) {
- domain->alt_name = talloc_strdup(domain,
-
domain_info->domain_name);
- if (domain->alt_name == NULL) {
- DBG_ERR("talloc_strdup failed for "
-
"domain_info->domain_name[%s]\n",
- domain_info->domain_name);
- talloc_destroy(mem_ctx);
- return false;
- }
- }
- if (domain->forest_name == NULL) {
- domain->forest_name = talloc_strdup(domain,
-
domain_info->forest_name);
- if (domain->forest_name == NULL) {
- DBG_ERR("talloc_strdup failed for "
-
"domain_info->forest_name[%s]\n",
- domain_info->forest_name);
- talloc_destroy(mem_ctx);
- return false;
- }
- }
- }
- } else {
- result = dcerpc_netr_GetAnyDCName(b, mem_ctx,
- our_domain->dcname,
- domain->name,
- &tmp,
- &werr);
- }
-
- /* And restore our original timeout. */
- rpccli_set_timeout(netlogon_pipe, orig_timeout);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
- nt_errstr(result)));
- talloc_destroy(mem_ctx);
- return false;
- }
-
- if (!W_ERROR_IS_OK(werr)) {
- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n",
- win_errstr(werr)));
- talloc_destroy(mem_ctx);
- return false;
- }
-
- /* dcerpc_netr_GetAnyDCName gives us a name with \\ */
- p = strip_hostname(tmp);
-
- fstrcpy(dcname, p);
-
- talloc_destroy(mem_ctx);
-
- DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname));
-
- if (!resolve_name(dcname, dc_ss, 0x20, true)) {
- return False;
- }
-
- return True;
-}
-
/**
* Helper function to assemble trust password and account name
*/
@@ -1307,24 +1173,8 @@
struct samba_sockaddr *sa_list = NULL;
size_t salist_size = 0;
size_t i;
- bool is_our_domain;
enum security_types sec = (enum security_types)lp_security();
- is_our_domain = strequal(domain->name, lp_workgroup());
-
- /* If not our domain, get the preferred DC, by asking our primary DC */
- if ( !is_our_domain
- && get_dc_name_via_netlogon(domain, dcname, &ss, request_flags)
- && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs,
- num_dcs) )
- {
- char addr[INET6_ADDRSTRLEN];
- print_sockaddr(addr, sizeof(addr), &ss);
- DEBUG(10, ("Retrieved DC %s at %s via netlogon\n",
- dcname, addr));
- return True;
- }
-
if ((sec == SEC_ADS) && (domain->alt_name != NULL)) {
char *sitename = NULL;
diff -Nru samba-4.22.2+dfsg/source3/winbindd/winbindd_dual.c
samba-4.22.3+dfsg/source3/winbindd/winbindd_dual.c
--- samba-4.22.2+dfsg/source3/winbindd/winbindd_dual.c 2025-02-06
13:31:54.620149100 +0300
+++ samba-4.22.3+dfsg/source3/winbindd/winbindd_dual.c 2025-07-07
19:18:35.405030700 +0300
@@ -532,6 +532,7 @@
struct wb_domain_request_state *state = tevent_req_data(
req, struct wb_domain_request_state);
struct winbindd_domain *domain = state->domain;
+ const char *domain_name = NULL;
struct tevent_req *subreq = NULL;
size_t shortest_queue_length;
@@ -604,8 +605,11 @@
* which is indicated by DS_RETURN_DNS_NAME.
* For NT4 domains we still get the netbios name.
*/
+
+ domain_name = find_dns_domain_name(state->domain->name);
+
subreq = wb_dsgetdcname_send(state, state->ev,
- state->domain->name,
+ domain_name,
NULL, /* domain_guid */
NULL, /* site_name */
DS_RETURN_DNS_NAME); /* flags */
diff -Nru samba-4.22.2+dfsg/source3/winbindd/winbindd_dual_srv.c
samba-4.22.3+dfsg/source3/winbindd/winbindd_dual_srv.c
--- samba-4.22.2+dfsg/source3/winbindd/winbindd_dual_srv.c 2025-02-06
13:31:54.620149100 +0300
+++ samba-4.22.3+dfsg/source3/winbindd/winbindd_dual_srv.c 2025-07-07
19:18:35.405030700 +0300
@@ -660,106 +660,11 @@
NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName
*r)
{
- struct winbindd_domain *domain = wb_child_domain();
- struct rpc_pipe_client *netlogon_pipe;
- struct netr_DsRGetDCNameInfo *dc_info;
- NTSTATUS status;
- WERROR werr;
- unsigned int orig_timeout;
- struct dcerpc_binding_handle *b;
- bool retry = false;
- bool try_dsrgetdcname = false;
-
- if (domain == NULL) {
- return dsgetdcname(p->mem_ctx, global_messaging_context(),
- r->in.domain_name, r->in.domain_guid,
- r->in.site_name ? r->in.site_name : "",
- r->in.flags,
- r->out.dc_info);
- }
-
- if (domain->active_directory) {
- try_dsrgetdcname = true;
- }
-
-reconnect:
- status = cm_connect_netlogon(domain, &netlogon_pipe);
-
- reset_cm_connection_on_error(domain, NULL, status);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Can't contact the NETLOGON pipe\n"));
- return status;
- }
-
- b = netlogon_pipe->binding_handle;
-
- /* This call can take a long time - allow the server to time out.
- 35 seconds should do it. */
-
- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000);
-
- if (try_dsrgetdcname) {
- status = dcerpc_netr_DsRGetDCName(b,
- p->mem_ctx, domain->dcname,
- r->in.domain_name, NULL, r->in.domain_guid,
- r->in.flags, r->out.dc_info, &werr);
- if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) {
- goto done;
- }
- if (!retry &&
- reset_cm_connection_on_error(domain, NULL, status))
- {
- retry = true;
- goto reconnect;
- }
- try_dsrgetdcname = false;
- retry = false;
- }
-
- /*
- * Fallback to less capable methods
- */
-
- dc_info = talloc_zero(r->out.dc_info, struct netr_DsRGetDCNameInfo);
- if (dc_info == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- if (r->in.flags & DS_PDC_REQUIRED) {
- status = dcerpc_netr_GetDcName(b,
- p->mem_ctx, domain->dcname,
- r->in.domain_name, &dc_info->dc_unc, &werr);
- } else {
- status = dcerpc_netr_GetAnyDCName(b,
- p->mem_ctx, domain->dcname,
- r->in.domain_name, &dc_info->dc_unc, &werr);
- }
-
- if (!retry && reset_cm_connection_on_error(domain, b, status)) {
- retry = true;
- goto reconnect;
- }
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
- nt_errstr(status)));
- goto done;
- }
- if (!W_ERROR_IS_OK(werr)) {
- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n",
- win_errstr(werr)));
- status = werror_to_ntstatus(werr);
- goto done;
- }
-
- *r->out.dc_info = dc_info;
- status = NT_STATUS_OK;
-
-done:
- /* And restore our original timeout. */
- rpccli_set_timeout(netlogon_pipe, orig_timeout);
-
- return status;
+ return dsgetdcname(p->mem_ctx, global_messaging_context(),
+ r->in.domain_name, r->in.domain_guid,
+ r->in.site_name ? r->in.site_name : "",
+ r->in.flags,
+ r->out.dc_info);
}
NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r)
diff -Nru samba-4.22.2+dfsg/source3/winbindd/winbindd_proto.h
samba-4.22.3+dfsg/source3/winbindd/winbindd_proto.h
--- samba-4.22.2+dfsg/source3/winbindd/winbindd_proto.h 2025-02-06
13:31:54.624149000 +0300
+++ samba-4.22.3+dfsg/source3/winbindd/winbindd_proto.h 2025-07-07
19:18:35.405030700 +0300
@@ -608,6 +608,7 @@
struct dom_sid **sids, uint32_t *num_sids);
bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr,
struct unixid **pxids, uint32_t *pnum_xids);
+const char *find_dns_domain_name(const char *domain_name);
/* The following definitions come from winbindd/winbindd_wins.c */
diff -Nru samba-4.22.2+dfsg/source3/winbindd/winbindd_util.c
samba-4.22.3+dfsg/source3/winbindd/winbindd_util.c
--- samba-4.22.2+dfsg/source3/winbindd/winbindd_util.c 2025-02-06
13:31:54.624149000 +0300
+++ samba-4.22.3+dfsg/source3/winbindd/winbindd_util.c 2025-07-07
19:18:35.409030700 +0300
@@ -2230,3 +2230,22 @@
TALLOC_FREE(xids);
return false;
}
+
+/**
+ * Helper to extract the DNS Domain Name from a struct winbindd_domain
+ */
+const char *find_dns_domain_name(const char *domain_name)
+{
+ struct winbindd_domain *wbdom = NULL;
+
+ wbdom = find_domain_from_name(domain_name);
+ if (wbdom == NULL) {
+ return domain_name;
+ }
+
+ if (wbdom->active_directory && wbdom->alt_name != NULL) {
+ return wbdom->alt_name;
+ }
+
+ return wbdom->name;
+}
--- End Message ---
