Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: sa...@packages.debian.org, pkg-samba-de...@lists.alioth.debian.org Control: affects -1 + src:samba User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] With Jul-08 update, Microsoft changed some security settings in Windows Active Directory services, which broke samba as AD member server, in some configurations, - samba assumed some calls to AD can be done without auth, but it isn't true anymore. Samba upstream had to make out-of-order releases for the supported series, and one of them (4.22.3) is being pushed to trixie. The required changes were back-ported to previous samba versions. For more information, see samba 4.22.3 release announcement at https://www.samba.org/samba/history/samba-4.22.3.html . There were a few other bug fixes also backported from later releases. And finally, there's one change in packaging, fixing a wrong versioned dependency between arch and indep packages built from the same source - thankfully we had no samba bin-NMUs in bookworm, or else it wont work due to this wrong dependency. [ Impact ] In some configurations (when using idmap backend = ad), samba wont be able to function as AD domain member server anymore. [ Tests ] There aren't much testing done for this particular update. I verified basic functionality of the resulting samba, including basic domain functionality. At the same time, all changes are verified for later samba versions, and are part of upstream stable series too. [ Risks ] (Discussion of the risks involved. E.g. code is trivial or complex, alternatives available.) [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Each newly included patch has a link to samba bugzilla entry, which has all the information about the issue it is fixing. [ Other info ] The bulk of the work for this update has been done by Salvatore Bonaccorso, I'm grateful for his help. Since Microsoft already released updates for Windows which prevents samba from working, it would be great if this update is pushed to stable-updates before the next bookworm point release. Debdiff is below. Thanks, /mjt diff -Nru samba-4.17.12+dfsg/debian/changelog samba-4.17.12+dfsg/debian/changelog --- samba-4.17.12+dfsg/debian/changelog 2023-10-10 18:17:19.000000000 +0300 +++ samba-4.17.12+dfsg/debian/changelog 2025-07-11 11:21:51.000000000 +0300 @@ -1,3 +1,28 @@ +samba (2:4.17.12+dfsg-0+deb12u2) bookworm; urgency=medium + + [ Salvatore Bonaccorso ] + * several patches from upstream: + - s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch: + s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL + - s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch: + s3:libsmb: allow store_cldap_reply() to work with a ipv6 response + - s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch: + s3:libsmb: let discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND + - s3-winbindd-use-better-debug-messages-than-talloc_st.patch: + s3:winbindd: use better debug messages than 'talloc_strdup failed' + - s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch: + s3:winbindd: avoid using any netlogon call to get a dc name + s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch: + s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name + (Closes: #1108904) + + [ Michael Tokarev ] + * d/control: fix versioned dependency on samba for samba-ad-dc + samba-ad-dc is arch-all package. We need samba >= ${source:Version}~ + (note the tilde at the end), not ${binary:Version} (without tilde) + + -- Michael Tokarev <m...@tls.msk.ru> Fri, 11 Jul 2025 11:21:51 +0300 + samba (2:4.17.12+dfsg-0+deb12u1) bookworm-security; urgency=medium * new stable security bugfix release: diff -Nru samba-4.17.12+dfsg/debian/control samba-4.17.12+dfsg/debian/control --- samba-4.17.12+dfsg/debian/control 2023-10-10 18:15:43.000000000 +0300 +++ samba-4.17.12+dfsg/debian/control 2025-07-10 16:02:07.000000000 +0300 @@ -190,7 +190,7 @@ Architecture: all Multi-Arch: foreign Pre-Depends: ${misc:Pre-Depends} -Depends: samba (>= ${binary:Version}), samba-dsdb-modules, samba-vfs-modules, +Depends: samba (>= ${source:Version}~), samba-dsdb-modules, samba-vfs-modules, winbind, krb5-kdc (>> 1.19.0) <pkg.samba.mitkrb5>, ${misc:Depends} diff -Nru samba-4.17.12+dfsg/debian/patches/s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch samba-4.17.12+dfsg/debian/patches/s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch --- samba-4.17.12+dfsg/debian/patches/s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch 1970-01-01 03:00:00.000000000 +0300 +++ samba-4.17.12+dfsg/debian/patches/s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch 2025-07-10 16:02:07.000000000 +0300 @@ -0,0 +1,55 @@ +From: Stefan Metzmacher <me...@samba.org> +Date: Tue, 7 May 2024 14:53:24 +0000 +Subject: s3:libsmb: allow store_cldap_reply() to work with a ipv6 response +Forwarded: not-needed +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642 + +Signed-off-by: Stefan Metzmacher <me...@samba.org> +Reviewed-by: Andrew Bartlett <abart...@samba.org> + +Autobuild-User(master): Andrew Bartlett <abart...@samba.org> +Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224 +--- + source3/libsmb/dsgetdcname.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c +index 0fcf23a280ee..654893c172c6 100644 +--- a/source3/libsmb/dsgetdcname.c ++++ b/source3/libsmb/dsgetdcname.c +@@ -196,7 +196,29 @@ static NTSTATUS store_cldap_reply(TALLOC_CTX *mem_ctx, + /* FIXME */ + r->sockaddr_size = 0x10; /* the w32 winsock addr size */ + r->sockaddr.sockaddr_family = 2; /* AF_INET */ +- r->sockaddr.pdc_ip = talloc_strdup(mem_ctx, addr); ++ if (is_ipaddress_v4(addr)) { ++ r->sockaddr.pdc_ip = talloc_strdup(mem_ctx, addr); ++ if (r->sockaddr.pdc_ip == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ } else { ++ /* ++ * ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX will ++ * fail with an ipv6 address. ++ * ++ * This matches windows behaviour in the CLDAP ++ * response when NETLOGON_NT_VERSION_5EX_WITH_IP ++ * is used. ++ * ++ * Windows returns the ipv4 address of the ipv6 ++ * server interface and falls back to 127.0.0.1 ++ * if there's no ipv4 address. ++ */ ++ r->sockaddr.pdc_ip = talloc_strdup(mem_ctx, "127.0.0.1"); ++ if (r->sockaddr.pdc_ip == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ } + + ndr_err = ndr_push_struct_blob(&blob, mem_ctx, r, + (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX); +-- +2.50.0 + diff -Nru samba-4.17.12+dfsg/debian/patches/s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch samba-4.17.12+dfsg/debian/patches/s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch --- samba-4.17.12+dfsg/debian/patches/s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch 1970-01-01 03:00:00.000000000 +0300 +++ samba-4.17.12+dfsg/debian/patches/s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch 2025-07-10 16:02:07.000000000 +0300 @@ -0,0 +1,35 @@ +From: Stefan Metzmacher <me...@samba.org> +Date: Thu, 15 Feb 2024 17:29:46 +0100 +Subject: s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL +Forwarded: not-needed +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/2b66663c75cdb3bc1b6bc5b1736dd9d35b094b42 + +In 2024 we always want an active directory response... + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 + +Signed-off-by: Stefan Metzmacher <me...@samba.org> +Reviewed-by: Andrew Bartlett <abart...@samba.org> +--- + source3/libsmb/dsgetdcname.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c +index 09a6e6648b42..0fcf23a280ee 100644 +--- a/source3/libsmb/dsgetdcname.c ++++ b/source3/libsmb/dsgetdcname.c +@@ -930,6 +930,11 @@ static NTSTATUS process_dc_netbios(TALLOC_CTX *mem_ctx, + name_type = NBT_NAME_PDC; + } + ++ /* ++ * It's 2024 we always want an AD style response! ++ */ ++ nt_version |= NETLOGON_NT_VERSION_AVOID_NT4EMUL; ++ + nt_version |= map_ds_flags_to_nt_version(flags); + + snprintf(my_acct_name, +-- +2.50.0 + diff -Nru samba-4.17.12+dfsg/debian/patches/s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch samba-4.17.12+dfsg/debian/patches/s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch --- samba-4.17.12+dfsg/debian/patches/s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch 1970-01-01 03:00:00.000000000 +0300 +++ samba-4.17.12+dfsg/debian/patches/s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch 2025-07-10 16:02:07.000000000 +0300 @@ -0,0 +1,44 @@ +From: Stefan Metzmacher <me...@samba.org> +Date: Fri, 11 Oct 2024 13:32:22 +0000 +Subject: s3:libsmb: let discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND +Forwarded: not-needed +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/e47ce1d10b13d8ef165c70984e6e490f4c2a64c2 + +We may get NT_STATUS_NOT_FOUND when the name can't be resolved +and NT_STATUS_INVALID_ADDRESS if the system doesn't have ipv4 +addresses... + +Signed-off-by: Stefan Metzmacher <me...@samba.org> +Reviewed-by: Andreas Schneider <a...@samba.org> +--- + source3/libsmb/dsgetdcname.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c +index 9053ee5c8b05..6bbe4e0b4ad1 100644 +--- a/source3/libsmb/dsgetdcname.c ++++ b/source3/libsmb/dsgetdcname.c +@@ -435,7 +435,19 @@ static NTSTATUS discover_dc_netbios(TALLOC_CTX *mem_ctx, + &count, + resolve_order); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10,("discover_dc_netbios: failed to find DC\n")); ++ NTSTATUS raw_status = status; ++ ++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) { ++ status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; ++ } ++ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ADDRESS)) { ++ status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; ++ } ++ ++ DBG_DEBUG("failed to find DC for %s: %s => %s\n", ++ domain_name, ++ nt_errstr(raw_status), ++ nt_errstr(status)); + return status; + } + +-- +2.50.0 + diff -Nru samba-4.17.12+dfsg/debian/patches/s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch samba-4.17.12+dfsg/debian/patches/s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch --- samba-4.17.12+dfsg/debian/patches/s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch 1970-01-01 03:00:00.000000000 +0300 +++ samba-4.17.12+dfsg/debian/patches/s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch 2025-07-10 16:02:07.000000000 +0300 @@ -0,0 +1,182 @@ +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <g...@samba.org> +Date: Wed, 2 Jul 2025 21:59:48 +0200 +Subject: s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name +Forwarded: not-needed +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/2560c9b3224816ffd371a62103f65b3aca301ad5 +Bug-Debian: https://bugs.debian.org/1108904 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +when winbind calls to dsgetdcname internally, make sure to +prefer the DNS domain name if we have it. Makes DNS lookups much more +likely to succeed. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 + +Guenther + +Signed-off-by: Guenther Deschner <g...@samba.org> +Reviewed-by: Andreas Schneider <a...@samba.org> +Reviewed-by: Ralph Boehme <s...@samba.org> + +Autobuild-User(master): Ralph Böhme <s...@samba.org> +Autobuild-Date(master): Mon Jul 7 10:44:37 UTC 2025 on atb-devel-224 +--- + source3/winbindd/wb_queryuser.c | 17 +++++++++++++---- + source3/winbindd/wb_sids2xids.c | 17 +++++++++++++---- + source3/winbindd/wb_xids2sids.c | 12 +++++++++--- + source3/winbindd/winbindd_dual.c | 6 +++++- + source3/winbindd/winbindd_proto.h | 1 + + source3/winbindd/winbindd_util.c | 19 +++++++++++++++++++ + 6 files changed, 60 insertions(+), 12 deletions(-) + +diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c +index c2758f1b76ac..db8e946ba717 100644 +--- a/source3/winbindd/wb_queryuser.c ++++ b/source3/winbindd/wb_queryuser.c +@@ -289,10 +289,19 @@ static void wb_queryuser_done(struct tevent_req *subreq) + + if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && + !state->tried_dclookup) { +- D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling wb_dsgetdcname_send()\n"); +- subreq = wb_dsgetdcname_send( +- state, state->ev, state->info->domain_name, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ const char *domain_name = find_dns_domain_name( ++ state->info->domain_name); ++ ++ D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling " ++ "wb_dsgetdcname_send(%s)\n", ++ domain_name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c +index f0f6c23fc20b..03e5e7e02581 100644 +--- a/source3/winbindd/wb_sids2xids.c ++++ b/source3/winbindd/wb_sids2xids.c +@@ -612,13 +612,22 @@ static void wb_sids2xids_done(struct tevent_req *subreq) + !state->tried_dclookup) { + + struct lsa_DomainInfo *d; ++ const char *domain_name = NULL; + +- D_DEBUG("Domain controller not found. Calling wb_dsgetdcname_send() to get it.\n"); + d = &state->idmap_doms.domains[state->dom_index]; + +- subreq = wb_dsgetdcname_send( +- state, state->ev, d->name.string, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ domain_name = find_dns_domain_name(d->name.string); ++ ++ D_DEBUG("Domain controller not found. Calling " ++ "wb_dsgetdcname_send(%s) to get it.\n", ++ domain_name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c +index 86bd7f9deab6..6fcf524d94fd 100644 +--- a/source3/winbindd/wb_xids2sids.c ++++ b/source3/winbindd/wb_xids2sids.c +@@ -143,9 +143,15 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq) + if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && + !state->tried_dclookup) { + +- subreq = wb_dsgetdcname_send( +- state, state->ev, state->dom_map->name, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ const char *domain_name = find_dns_domain_name( ++ state->dom_map->name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c +index 57e768844165..ccea44acf185 100644 +--- a/source3/winbindd/winbindd_dual.c ++++ b/source3/winbindd/winbindd_dual.c +@@ -548,6 +548,7 @@ static void wb_domain_request_trigger(struct tevent_req *req, + struct wb_domain_request_state *state = tevent_req_data( + req, struct wb_domain_request_state); + struct winbindd_domain *domain = state->domain; ++ const char *domain_name = NULL; + struct tevent_req *subreq = NULL; + size_t shortest_queue_length; + +@@ -623,8 +624,11 @@ static void wb_domain_request_trigger(struct tevent_req *req, + * which is indicated by DS_RETURN_DNS_NAME. + * For NT4 domains we still get the netbios name. + */ ++ ++ domain_name = find_dns_domain_name(state->domain->name); ++ + subreq = wb_dsgetdcname_send(state, state->ev, +- state->domain->name, ++ domain_name, + NULL, /* domain_guid */ + NULL, /* site_name */ + DS_RETURN_DNS_NAME); /* flags */ +diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h +index 6d11a41d8156..3734ab490864 100644 +--- a/source3/winbindd/winbindd_proto.h ++++ b/source3/winbindd/winbindd_proto.h +@@ -608,6 +608,7 @@ bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr, + struct dom_sid **sids, uint32_t *num_sids); + bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr, + struct unixid **pxids, uint32_t *pnum_xids); ++const char *find_dns_domain_name(const char *domain_name); + + /* The following definitions come from winbindd/winbindd_wins.c */ + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index 054661776003..954d01928b2d 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -2673,3 +2673,22 @@ fail: + TALLOC_FREE(xids); + return false; + } ++ ++/** ++ * Helper to extract the DNS Domain Name from a struct winbindd_domain ++ */ ++const char *find_dns_domain_name(const char *domain_name) ++{ ++ struct winbindd_domain *wbdom = NULL; ++ ++ wbdom = find_domain_from_name(domain_name); ++ if (wbdom == NULL) { ++ return domain_name; ++ } ++ ++ if (wbdom->active_directory && wbdom->alt_name != NULL) { ++ return wbdom->alt_name; ++ } ++ ++ return wbdom->name; ++} +-- +2.50.0 + diff -Nru samba-4.17.12+dfsg/debian/patches/s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch samba-4.17.12+dfsg/debian/patches/s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch --- samba-4.17.12+dfsg/debian/patches/s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch 1970-01-01 03:00:00.000000000 +0300 +++ samba-4.17.12+dfsg/debian/patches/s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch 2025-07-10 16:02:07.000000000 +0300 @@ -0,0 +1,307 @@ +From: Stefan Metzmacher <me...@samba.org> +Date: Fri, 9 May 2025 09:38:41 +0200 +Subject: s3:winbindd: avoid using any netlogon call to get a dc name +Forwarded: not-needed +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/f86a4bf6848ade2db7229d182576db3320c3ece7 +Bug-Debian: https://bugs.debian.org/1108904 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 + +Signed-off-by: Stefan Metzmacher <me...@samba.org> +Reviewed-by: Guenther Deschner <g...@samba.org> +Reviewed-by: Andreas Schneider <a...@samba.org> +Reviewed-by: Ralph Boehme <s...@samba.org> +--- + source3/winbindd/winbindd_cm.c | 150 --------------------------- + source3/winbindd/winbindd_dual_srv.c | 105 +------------------ + 2 files changed, 5 insertions(+), 250 deletions(-) + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index cc0b47b0600c..15a2f60c5321 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -477,140 +477,6 @@ static bool cm_is_ipc_credentials(struct cli_credentials *creds) + return ret; + } + +-static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, +- fstring dcname, +- struct sockaddr_storage *dc_ss, +- uint32_t request_flags) +-{ +- struct winbindd_domain *our_domain = NULL; +- struct rpc_pipe_client *netlogon_pipe = NULL; +- NTSTATUS result; +- WERROR werr; +- TALLOC_CTX *mem_ctx; +- unsigned int orig_timeout; +- const char *tmp = NULL; +- const char *p; +- struct dcerpc_binding_handle *b; +- +- /* Hmmmm. We can only open one connection to the NETLOGON pipe at the +- * moment.... */ +- +- if (IS_DC) { +- return False; +- } +- +- if (domain->primary) { +- return False; +- } +- +- our_domain = find_our_domain(); +- +- if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) { +- return False; +- } +- +- result = cm_connect_netlogon(our_domain, &netlogon_pipe); +- if (!NT_STATUS_IS_OK(result)) { +- talloc_destroy(mem_ctx); +- return False; +- } +- +- b = netlogon_pipe->binding_handle; +- +- /* This call can take a long time - allow the server to time out. +- 35 seconds should do it. */ +- +- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); +- +- if (our_domain->active_directory) { +- struct netr_DsRGetDCNameInfo *domain_info = NULL; +- +- /* +- * TODO request flags are not respected in the server +- * (and in some cases, like REQUIRE_PDC, causes an error) +- */ +- result = dcerpc_netr_DsRGetDCName(b, +- mem_ctx, +- our_domain->dcname, +- domain->name, +- NULL, +- NULL, +- request_flags|DS_RETURN_DNS_NAME, +- &domain_info, +- &werr); +- if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) { +- tmp = talloc_strdup( +- mem_ctx, domain_info->dc_unc); +- if (tmp == NULL) { +- DBG_ERR("talloc_strdup failed for dc_unc[%s]\n", +- domain_info->dc_unc); +- talloc_destroy(mem_ctx); +- return false; +- } +- if (domain->alt_name == NULL) { +- domain->alt_name = talloc_strdup(domain, +- domain_info->domain_name); +- if (domain->alt_name == NULL) { +- DBG_ERR("talloc_strdup failed for " +- "domain_info->domain_name[%s]\n", +- domain_info->domain_name); +- talloc_destroy(mem_ctx); +- return false; +- } +- } +- if (domain->forest_name == NULL) { +- domain->forest_name = talloc_strdup(domain, +- domain_info->forest_name); +- if (domain->forest_name == NULL) { +- DBG_ERR("talloc_strdup failed for " +- "domain_info->forest_name[%s]\n", +- domain_info->forest_name); +- talloc_destroy(mem_ctx); +- return false; +- } +- } +- } +- } else { +- result = dcerpc_netr_GetAnyDCName(b, mem_ctx, +- our_domain->dcname, +- domain->name, +- &tmp, +- &werr); +- } +- +- /* And restore our original timeout. */ +- rpccli_set_timeout(netlogon_pipe, orig_timeout); +- +- if (!NT_STATUS_IS_OK(result)) { +- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", +- nt_errstr(result))); +- talloc_destroy(mem_ctx); +- return false; +- } +- +- if (!W_ERROR_IS_OK(werr)) { +- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", +- win_errstr(werr))); +- talloc_destroy(mem_ctx); +- return false; +- } +- +- /* dcerpc_netr_GetAnyDCName gives us a name with \\ */ +- p = strip_hostname(tmp); +- +- fstrcpy(dcname, p); +- +- talloc_destroy(mem_ctx); +- +- DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname)); +- +- if (!resolve_name(dcname, dc_ss, 0x20, true)) { +- return False; +- } +- +- return True; +-} +- + /** + * Helper function to assemble trust password and account name + */ +@@ -1297,24 +1163,8 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, + struct samba_sockaddr *sa_list = NULL; + size_t salist_size = 0; + size_t i; +- bool is_our_domain; + enum security_types sec = (enum security_types)lp_security(); + +- is_our_domain = strequal(domain->name, lp_workgroup()); +- +- /* If not our domain, get the preferred DC, by asking our primary DC */ +- if ( !is_our_domain +- && get_dc_name_via_netlogon(domain, dcname, &ss, request_flags) +- && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, +- num_dcs) ) +- { +- char addr[INET6_ADDRSTRLEN]; +- print_sockaddr(addr, sizeof(addr), &ss); +- DEBUG(10, ("Retrieved DC %s at %s via netlogon\n", +- dcname, addr)); +- return True; +- } +- + if ((sec == SEC_ADS) && (domain->alt_name != NULL)) { + char *sitename = NULL; + +diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c +index b1809809b13e..c48ca15dd2b2 100644 +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -661,106 +661,11 @@ NTSTATUS _wbint_QueryUserRidList(struct pipes_struct *p, + + NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r) + { +- struct winbindd_domain *domain = wb_child_domain(); +- struct rpc_pipe_client *netlogon_pipe; +- struct netr_DsRGetDCNameInfo *dc_info; +- NTSTATUS status; +- WERROR werr; +- unsigned int orig_timeout; +- struct dcerpc_binding_handle *b; +- bool retry = false; +- bool try_dsrgetdcname = false; +- +- if (domain == NULL) { +- return dsgetdcname(p->mem_ctx, global_messaging_context(), +- r->in.domain_name, r->in.domain_guid, +- r->in.site_name ? r->in.site_name : "", +- r->in.flags, +- r->out.dc_info); +- } +- +- if (domain->active_directory) { +- try_dsrgetdcname = true; +- } +- +-reconnect: +- status = cm_connect_netlogon(domain, &netlogon_pipe); +- +- reset_cm_connection_on_error(domain, NULL, status); +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10, ("Can't contact the NETLOGON pipe\n")); +- return status; +- } +- +- b = netlogon_pipe->binding_handle; +- +- /* This call can take a long time - allow the server to time out. +- 35 seconds should do it. */ +- +- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); +- +- if (try_dsrgetdcname) { +- status = dcerpc_netr_DsRGetDCName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, NULL, r->in.domain_guid, +- r->in.flags, r->out.dc_info, &werr); +- if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) { +- goto done; +- } +- if (!retry && +- reset_cm_connection_on_error(domain, NULL, status)) +- { +- retry = true; +- goto reconnect; +- } +- try_dsrgetdcname = false; +- retry = false; +- } +- +- /* +- * Fallback to less capable methods +- */ +- +- dc_info = talloc_zero(r->out.dc_info, struct netr_DsRGetDCNameInfo); +- if (dc_info == NULL) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- +- if (r->in.flags & DS_PDC_REQUIRED) { +- status = dcerpc_netr_GetDcName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, &dc_info->dc_unc, &werr); +- } else { +- status = dcerpc_netr_GetAnyDCName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, &dc_info->dc_unc, &werr); +- } +- +- if (!retry && reset_cm_connection_on_error(domain, b, status)) { +- retry = true; +- goto reconnect; +- } +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", +- nt_errstr(status))); +- goto done; +- } +- if (!W_ERROR_IS_OK(werr)) { +- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", +- win_errstr(werr))); +- status = werror_to_ntstatus(werr); +- goto done; +- } +- +- *r->out.dc_info = dc_info; +- status = NT_STATUS_OK; +- +-done: +- /* And restore our original timeout. */ +- rpccli_set_timeout(netlogon_pipe, orig_timeout); +- +- return status; ++ return dsgetdcname(p->mem_ctx, global_messaging_context(), ++ r->in.domain_name, r->in.domain_guid, ++ r->in.site_name ? r->in.site_name : "", ++ r->in.flags, ++ r->out.dc_info); + } + + NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r) +-- +2.50.0 + diff -Nru samba-4.17.12+dfsg/debian/patches/s3-winbindd-use-better-debug-messages-than-talloc_st.patch samba-4.17.12+dfsg/debian/patches/s3-winbindd-use-better-debug-messages-than-talloc_st.patch --- samba-4.17.12+dfsg/debian/patches/s3-winbindd-use-better-debug-messages-than-talloc_st.patch 1970-01-01 03:00:00.000000000 +0300 +++ samba-4.17.12+dfsg/debian/patches/s3-winbindd-use-better-debug-messages-than-talloc_st.patch 2025-07-10 16:02:07.000000000 +0300 @@ -0,0 +1,54 @@ +From: Stefan Metzmacher <me...@samba.org> +Date: Fri, 26 Jan 2024 09:25:11 +0100 +Subject: s3:winbindd: use better debug messages than 'talloc_strdup failed' +Forwarded: not-needed +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/814ae222ca15ff7093a71639cdcc97b9937670ce + +Signed-off-by: Stefan Metzmacher <me...@samba.org> +Reviewed-by: Andrew Bartlett <abart...@samba.org> + +Autobuild-User(master): Stefan Metzmacher <me...@samba.org> +Autobuild-Date(master): Fri Apr 5 13:28:42 UTC 2024 on atb-devel-224 +--- + source3/winbindd/winbindd_cm.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 1685edbabaa2..aebb4561ae8b 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -540,7 +540,8 @@ static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, + tmp = talloc_strdup( + mem_ctx, domain_info->dc_unc); + if (tmp == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); ++ DBG_ERR("talloc_strdup failed for dc_unc[%s]\n", ++ domain_info->dc_unc); + talloc_destroy(mem_ctx); + return false; + } +@@ -548,7 +549,9 @@ static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, + domain->alt_name = talloc_strdup(domain, + domain_info->domain_name); + if (domain->alt_name == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); ++ DBG_ERR("talloc_strdup failed for " ++ "domain_info->domain_name[%s]\n", ++ domain_info->domain_name); + talloc_destroy(mem_ctx); + return false; + } +@@ -557,7 +560,9 @@ static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, + domain->forest_name = talloc_strdup(domain, + domain_info->forest_name); + if (domain->forest_name == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); ++ DBG_ERR("talloc_strdup failed for " ++ "domain_info->forest_name[%s]\n", ++ domain_info->forest_name); + talloc_destroy(mem_ctx); + return false; + } +-- +2.50.0 + diff -Nru samba-4.17.12+dfsg/debian/patches/series samba-4.17.12+dfsg/debian/patches/series --- samba-4.17.12+dfsg/debian/patches/series 2023-10-10 18:15:43.000000000 +0300 +++ samba-4.17.12+dfsg/debian/patches/series 2025-07-10 16:02:07.000000000 +0300 @@ -24,3 +24,9 @@ meaningful-error-if-no-python3-markdown.patch ctdb-use-run-instead-of-var-run.patch heimdal-to-support-KEYRING-ccache.patch +s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch +s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch +s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch +s3-winbindd-use-better-debug-messages-than-talloc_st.patch +s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch +s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch
