Package: release.debian.org Severity: normal X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:samba User: [email protected] Usertags: unblock
Please unblock package samba [ Reason ] This is an upstream stable/bugfix release, with usual-for-samba carefully picked up bugfixes. This time, there are just a few bugfixes, and a change which is needed for upcoming (Jul-08) update of Microsoft Active Directory Domain Controller security improvements. When samba acts as a member of MS AD, in some configurations, it wont function anymore after the windows update. See #1108904 (https://bugzilla.samba.org/show_bug.cgi?id=15876) for more information about this issue. Additionally there's a tiny change in debian packaging, - I replaced FSF postal address with a gnu.org URL. [ Tests ] This release passes usual samba testsuite. Additionally, I verified basic functionality in our internal AD domain, there's no obvious regressions (and some improvements). [ Risks ] Usually samba stable updates are of low risk. This one seems to be of the same category. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] there's a set of logical commits between samba 4.22.2 and 4.22.3 releases, see https://salsa.debian.org/samba-team/samba/-/commits/upstream_4.22 (all commits between samba-4.22.2 and samba-4.22.3 tags). This is the difference in the debdiff. Debdiff is below. unblock samba/2:4.22.3+dfsg-1 Thanks, /mjt diff -Nru samba-4.22.2+dfsg/VERSION samba-4.22.3+dfsg/VERSION --- samba-4.22.2+dfsg/VERSION 2025-06-05 18:38:33.686580400 +0300 +++ samba-4.22.3+dfsg/VERSION 2025-07-07 19:18:35.329030000 +0300 @@ -27,7 +27,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=22 -SAMBA_VERSION_RELEASE=2 +SAMBA_VERSION_RELEASE=3 ######################################################## # If a official release has a serious bug # diff -Nru samba-4.22.2+dfsg/WHATSNEW.txt samba-4.22.3+dfsg/WHATSNEW.txt --- samba-4.22.2+dfsg/WHATSNEW.txt 2025-06-05 18:38:33.686580400 +0300 +++ samba-4.22.3+dfsg/WHATSNEW.txt 2025-07-07 19:18:35.329030000 +0300 @@ -1,4 +1,89 @@ ============================== + Release Notes for Samba 4.22.3 + July 07, 2025 + ============================== + + +This is the latest stable release of the Samba 4.22 release series. + + +Important Change in Upcoming Microsoft Update +--------------------------------------------- + +On 8th of July, Microsoft will release an important security update for +Active Directory Domain Controllers for Windows Server versions prior to +2025. + +This update includes a change to the Microsoft RPC Netlogon protocol, +which improves security by tightening access checks for a set of RPC +requests. Samba running as domain members in these environments will be +impacted by this change if a specific configuration is used, see below +for which configuration is affected. + +Windows Server version 2025 is already equipped with these specific +security hardenings, and Microsoft is now planning to deploy them to all +supported Windows Server versions down to Windows Server 2008. + + +Who is affected? + +Samba installations acting as member servers in Windows AD domains will +be affected if they are configured to use the 'ad' idmapping backend. +Samba servers not using this configuration will not be affected by the +change – at least to our current knowledge and understanding of the +change – and no further action is required. + +Current versions of Samba with the affected configuration will no longer +function correctly once the Microsoft update has been applied. Users +will not be able to connect to the SMB service provided by Samba for any +domain configured to use the 'ad' idmapping backend. + +See https://bugzilla.samba.org/show_bug.cgi?id=15876. + + +Changes since 4.22.2 +-------------------- + +o Douglas Bagnall <[email protected]> + * BUG 15854: samba-tool cannot add user to group whose name is exactly 16 + characters long. + +o Günther Deschner <[email protected]> + * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc + calls like netr_DsRGetDCName. + +o Stefan Metzmacher <[email protected]> + * BUG 15876: Windows security hardening locks out schannel'ed netlogon dc + calls like netr_DsRGetDCName. + +o Andreas Schneider <[email protected]> + * BUG 15869: Startup messages of rpc deamons fills /var/log/messages. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + ============================== Release Notes for Samba 4.22.2 June 05, 2025 ============================== @@ -80,8 +165,7 @@ ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- ============================== Release Notes for Samba 4.22.1 April 17, 2025 diff -Nru samba-4.22.2+dfsg/debian/changelog samba-4.22.3+dfsg/debian/changelog --- samba-4.22.2+dfsg/debian/changelog 2025-06-05 19:12:34.000000000 +0300 +++ samba-4.22.3+dfsg/debian/changelog 2025-07-07 23:16:23.000000000 +0300 @@ -1,3 +1,21 @@ +samba (2:4.22.3+dfsg-1) unstable; urgency=medium + + * new upstream stable/bugfix release, mostly targetting the Jul-08 update + for Active Directory Domain Controllers + (https://bugzilla.samba.org/show_bug.cgi?id=15876, Closes: #1108904): + - https://bugzilla.samba.org/show_bug.cgi?id=15854: + samba-tool cannot add user to group whose name + is exactly 16 characters long + - https://bugzilla.samba.org/show_bug.cgi?id=15869: + Startup messages of rpc daemons fills /var/log/messages + - https://bugzilla.samba.org/show_bug.cgi?id=15876: + Windows security hardening locks out schannel'ed netlogon + dc calls like netr_DsRGetDCName + * update d/copyright to point to https://www.gnu.org/licenses/ + instead of FSF postal address + + -- Michael Tokarev <[email protected]> Mon, 07 Jul 2025 23:16:23 +0300 + samba (2:4.22.2+dfsg-1) unstable; urgency=medium * new upstream stable/bugfix release: diff -Nru samba-4.22.2+dfsg/debian/control samba-4.22.3+dfsg/debian/control --- samba-4.22.2+dfsg/debian/control 2025-06-05 18:53:51.000000000 +0300 +++ samba-4.22.3+dfsg/debian/control 2025-07-07 23:16:23.000000000 +0300 @@ -84,7 +84,7 @@ Pre-Depends: ${misc:Pre-Depends} Depends: passwd, procps, - samba-common (= ${source:Version}), + samba-common, samba-common-bin (=${binary:Version}), ${misc:Depends}, ${python3:Depends}, @@ -176,7 +176,7 @@ Package: samba-common-bin Architecture: any -Depends: samba-common (= ${source:Version}), +Depends: samba-common, ${misc:Depends}, ${python3:Depends}, ${shlibs:Depends} @@ -258,7 +258,7 @@ Package: smbclient Architecture: any -Depends: samba-common (= ${source:Version}), +Depends: samba-common, samba-libs (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} @@ -476,7 +476,7 @@ Pre-Depends: ${misc:Pre-Depends} Architecture: any Multi-Arch: allowed -Depends: samba-common (= ${source:Version}), +Depends: samba-common, samba-common-bin (=${binary:Version}), # wbinfo (linked with libwbclient) which should use the same protocol libwbclient0 (=${binary:Version}), diff -Nru samba-4.22.2+dfsg/debian/copyright samba-4.22.3+dfsg/debian/copyright --- samba-4.22.2+dfsg/debian/copyright 2025-06-05 18:53:51.000000000 +0300 +++ samba-4.22.3+dfsg/debian/copyright 2025-07-07 23:16:23.000000000 +0300 @@ -90,8 +90,7 @@ GNU General Public License for more details. . You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + along with this program; If not, see https://www.gnu.org/licenses/. . On Debian systems, the full text of the GPL v3 can be found in /usr/share/common-licenses/GPL-3 diff -Nru samba-4.22.2+dfsg/lib/util/debug.c samba-4.22.3+dfsg/lib/util/debug.c --- samba-4.22.2+dfsg/lib/util/debug.c 2025-02-06 13:31:54.176146500 +0300 +++ samba-4.22.3+dfsg/lib/util/debug.c 2025-07-07 19:18:35.393030600 +0300 @@ -95,6 +95,7 @@ bool reopening_logs; bool schedule_reopen_logs; int forced_log_priority; + bool disable_syslog; struct debug_settings settings; debug_callback_fn callback; @@ -302,6 +303,10 @@ { int priority; + if (state.disable_syslog) { + return; + } + priority = debug_level_to_priority(msg_level); /* @@ -1124,6 +1129,16 @@ state.forced_log_priority = forced_log_priority; } +void debug_disable_syslog(void) +{ + state.disable_syslog = true; +} + +void debug_enable_syslog(void) +{ + state.disable_syslog = false; +} + /** * Ensure debug logs are initialised. * diff -Nru samba-4.22.2+dfsg/lib/util/debug.h samba-4.22.3+dfsg/lib/util/debug.h --- samba-4.22.2+dfsg/lib/util/debug.h 2025-02-06 13:31:54.176146500 +0300 +++ samba-4.22.3+dfsg/lib/util/debug.h 2025-07-07 19:18:35.393030600 +0300 @@ -276,9 +276,16 @@ #define DBGLVL_INFO 5 /* informational message */ #define DBGLVL_DEBUG 10 /* debug-level message */ +/* + * Logging to syslog will be disabled as messages on debug level 0 are always + * reported to syslog too. We don't want to clutter the syslog with startup + * messages from rpc on demand daemons. + */ #define DBG_STARTUP_NOTICE(...) do { \ debug_set_forced_log_priority(DBGLVL_NOTICE); \ + debug_disable_syslog(); \ D_ERR(__VA_ARGS__); \ + debug_enable_syslog(); \ debug_set_forced_log_priority(-1); \ } while(0) @@ -362,6 +369,8 @@ int syslog_level, bool syslog_only); void debug_set_hostname(const char *name); void debug_set_forced_log_priority(int forced_log_priority); +void debug_disable_syslog(void); +void debug_enable_syslog(void); bool reopen_logs_internal( void ); void force_check_log_size( void ); bool need_to_check_log_size( void ); diff -Nru samba-4.22.2+dfsg/python/samba/samdb.py samba-4.22.3+dfsg/python/samba/samdb.py --- samba-4.22.2+dfsg/python/samba/samdb.py 2025-02-06 13:31:54.316147300 +0300 +++ samba-4.22.3+dfsg/python/samba/samdb.py 2025-07-07 19:18:35.393030600 +0300 @@ -35,6 +35,7 @@ from samba.common import get_bytes, cmp from samba.dcerpc import security from samba import is_ad_dc_built +from samba import string_is_guid from samba import NTSTATUSError, ntstatus import binascii @@ -388,6 +389,13 @@ partial_groupfilter = None + # If <group> looks like a SID, GUID, or DN, we use it + # accordingly, otherwise as a name. + # + # Because misc.GUID() will read any 16 byte sequence as a + # binary guid, we need to be careful not to read 16 character + # names as GUIDs. + group_sid = None try: group_sid = security.dom_sid(group) @@ -397,7 +405,7 @@ partial_groupfilter = "(objectClass=*)" group_guid = None - if partial_groupfilter is None: + if partial_groupfilter is None and string_is_guid(group): try: group_guid = misc.GUID(group) except NTSTATUSError as e: diff -Nru samba-4.22.2+dfsg/python/samba/tests/samba_tool/group.py samba-4.22.3+dfsg/python/samba/tests/samba_tool/group.py --- samba-4.22.2+dfsg/python/samba/tests/samba_tool/group.py 2025-02-06 13:31:54.360147700 +0300 +++ samba-4.22.3+dfsg/python/samba/tests/samba_tool/group.py 2025-07-07 19:18:35.397030600 +0300 @@ -38,7 +38,8 @@ self.groups.append(self._randomGroup({"name": "testgroup1"})) self.groups.append(self._randomGroup({"name": "testgroup2"})) self.groups.append(self._randomGroup({"name": "testgroup3"})) - self.groups.append(self._randomGroup({"name": "testgroup4"})) + self.groups.append(self._randomGroup( + {"name": "16 character name for bug 15854"[:16]})) self.groups.append(self._randomGroup({"name": "testgroup5 (with brackets)"})) self.groups.append(self._randomPosixGroup({"name": "posixgroup1"})) self.groups.append(self._randomPosixGroup({"name": "posixgroup2"})) @@ -334,6 +335,20 @@ name = str(groupobj.get("dn", idx=0)) self.assertMatch(out, name, "group '%s' not found" % name) + def test_addmember(self): + groups = [g['name'] for g in self.groups] + for parent, child in zip(groups, groups[1:]): + (result, out, err) = self.runsubcmd( + "group", "addmembers", parent, child) + self.assertCmdSuccess(result, out, err) + + (result, out, err) = self.runsubcmd( + "group", "addmembers", groups[-1], ','.join(groups[:-1])) + self.assertCmdSuccess(result, out, err) + + (result, out, err) = self.runsubcmd( + "group", "addmembers", groups[0], "alice,bob") + self.assertCmdSuccess(result, out, err) def test_move(self): full_ou_dn = str(self.samdb.normalize_dn_in_domain("OU=movetest_grp")) diff -Nru samba-4.22.2+dfsg/source3/winbindd/wb_queryuser.c samba-4.22.3+dfsg/source3/winbindd/wb_queryuser.c --- samba-4.22.2+dfsg/source3/winbindd/wb_queryuser.c 2025-02-06 13:31:54.616149200 +0300 +++ samba-4.22.3+dfsg/source3/winbindd/wb_queryuser.c 2025-07-07 19:18:35.397030600 +0300 @@ -289,10 +289,19 @@ if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && !state->tried_dclookup) { - D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling wb_dsgetdcname_send()\n"); - subreq = wb_dsgetdcname_send( - state, state->ev, state->info->domain_name, NULL, NULL, - DS_RETURN_DNS_NAME); + const char *domain_name = find_dns_domain_name( + state->info->domain_name); + + D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling " + "wb_dsgetdcname_send(%s)\n", + domain_name); + + subreq = wb_dsgetdcname_send(state, + state->ev, + domain_name, + NULL, + NULL, + DS_RETURN_DNS_NAME); if (tevent_req_nomem(subreq, req)) { return; } diff -Nru samba-4.22.2+dfsg/source3/winbindd/wb_sids2xids.c samba-4.22.3+dfsg/source3/winbindd/wb_sids2xids.c --- samba-4.22.2+dfsg/source3/winbindd/wb_sids2xids.c 2025-02-06 13:31:54.616149200 +0300 +++ samba-4.22.3+dfsg/source3/winbindd/wb_sids2xids.c 2025-07-07 19:18:35.397030600 +0300 @@ -612,13 +612,22 @@ !state->tried_dclookup) { struct lsa_DomainInfo *d; + const char *domain_name = NULL; - D_DEBUG("Domain controller not found. Calling wb_dsgetdcname_send() to get it.\n"); d = &state->idmap_doms.domains[state->dom_index]; - subreq = wb_dsgetdcname_send( - state, state->ev, d->name.string, NULL, NULL, - DS_RETURN_DNS_NAME); + domain_name = find_dns_domain_name(d->name.string); + + D_DEBUG("Domain controller not found. Calling " + "wb_dsgetdcname_send(%s) to get it.\n", + domain_name); + + subreq = wb_dsgetdcname_send(state, + state->ev, + domain_name, + NULL, + NULL, + DS_RETURN_DNS_NAME); if (tevent_req_nomem(subreq, req)) { return; } diff -Nru samba-4.22.2+dfsg/source3/winbindd/wb_xids2sids.c samba-4.22.3+dfsg/source3/winbindd/wb_xids2sids.c --- samba-4.22.2+dfsg/source3/winbindd/wb_xids2sids.c 2025-02-06 13:31:54.616149200 +0300 +++ samba-4.22.3+dfsg/source3/winbindd/wb_xids2sids.c 2025-07-07 19:18:35.397030600 +0300 @@ -143,9 +143,15 @@ if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && !state->tried_dclookup) { - subreq = wb_dsgetdcname_send( - state, state->ev, state->dom_map->name, NULL, NULL, - DS_RETURN_DNS_NAME); + const char *domain_name = find_dns_domain_name( + state->dom_map->name); + + subreq = wb_dsgetdcname_send(state, + state->ev, + domain_name, + NULL, + NULL, + DS_RETURN_DNS_NAME); if (tevent_req_nomem(subreq, req)) { return; } diff -Nru samba-4.22.2+dfsg/source3/winbindd/winbindd_cm.c samba-4.22.3+dfsg/source3/winbindd/winbindd_cm.c --- samba-4.22.2+dfsg/source3/winbindd/winbindd_cm.c 2025-02-20 15:58:50.541505000 +0300 +++ samba-4.22.3+dfsg/source3/winbindd/winbindd_cm.c 2025-07-07 19:18:35.401030500 +0300 @@ -475,140 +475,6 @@ return ret; } -static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, - fstring dcname, - struct sockaddr_storage *dc_ss, - uint32_t request_flags) -{ - struct winbindd_domain *our_domain = NULL; - struct rpc_pipe_client *netlogon_pipe = NULL; - NTSTATUS result; - WERROR werr; - TALLOC_CTX *mem_ctx; - unsigned int orig_timeout; - const char *tmp = NULL; - const char *p; - struct dcerpc_binding_handle *b; - - /* Hmmmm. We can only open one connection to the NETLOGON pipe at the - * moment.... */ - - if (IS_DC) { - return False; - } - - if (domain->primary) { - return False; - } - - our_domain = find_our_domain(); - - if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) { - return False; - } - - result = cm_connect_netlogon(our_domain, &netlogon_pipe); - if (!NT_STATUS_IS_OK(result)) { - talloc_destroy(mem_ctx); - return False; - } - - b = netlogon_pipe->binding_handle; - - /* This call can take a long time - allow the server to time out. - 35 seconds should do it. */ - - orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); - - if (our_domain->active_directory) { - struct netr_DsRGetDCNameInfo *domain_info = NULL; - - /* - * TODO request flags are not respected in the server - * (and in some cases, like REQUIRE_PDC, causes an error) - */ - result = dcerpc_netr_DsRGetDCName(b, - mem_ctx, - our_domain->dcname, - domain->name, - NULL, - NULL, - request_flags|DS_RETURN_DNS_NAME, - &domain_info, - &werr); - if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) { - tmp = talloc_strdup( - mem_ctx, domain_info->dc_unc); - if (tmp == NULL) { - DBG_ERR("talloc_strdup failed for dc_unc[%s]\n", - domain_info->dc_unc); - talloc_destroy(mem_ctx); - return false; - } - if (domain->alt_name == NULL) { - domain->alt_name = talloc_strdup(domain, - domain_info->domain_name); - if (domain->alt_name == NULL) { - DBG_ERR("talloc_strdup failed for " - "domain_info->domain_name[%s]\n", - domain_info->domain_name); - talloc_destroy(mem_ctx); - return false; - } - } - if (domain->forest_name == NULL) { - domain->forest_name = talloc_strdup(domain, - domain_info->forest_name); - if (domain->forest_name == NULL) { - DBG_ERR("talloc_strdup failed for " - "domain_info->forest_name[%s]\n", - domain_info->forest_name); - talloc_destroy(mem_ctx); - return false; - } - } - } - } else { - result = dcerpc_netr_GetAnyDCName(b, mem_ctx, - our_domain->dcname, - domain->name, - &tmp, - &werr); - } - - /* And restore our original timeout. */ - rpccli_set_timeout(netlogon_pipe, orig_timeout); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", - nt_errstr(result))); - talloc_destroy(mem_ctx); - return false; - } - - if (!W_ERROR_IS_OK(werr)) { - DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", - win_errstr(werr))); - talloc_destroy(mem_ctx); - return false; - } - - /* dcerpc_netr_GetAnyDCName gives us a name with \\ */ - p = strip_hostname(tmp); - - fstrcpy(dcname, p); - - talloc_destroy(mem_ctx); - - DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname)); - - if (!resolve_name(dcname, dc_ss, 0x20, true)) { - return False; - } - - return True; -} - /** * Helper function to assemble trust password and account name */ @@ -1307,24 +1173,8 @@ struct samba_sockaddr *sa_list = NULL; size_t salist_size = 0; size_t i; - bool is_our_domain; enum security_types sec = (enum security_types)lp_security(); - is_our_domain = strequal(domain->name, lp_workgroup()); - - /* If not our domain, get the preferred DC, by asking our primary DC */ - if ( !is_our_domain - && get_dc_name_via_netlogon(domain, dcname, &ss, request_flags) - && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, - num_dcs) ) - { - char addr[INET6_ADDRSTRLEN]; - print_sockaddr(addr, sizeof(addr), &ss); - DEBUG(10, ("Retrieved DC %s at %s via netlogon\n", - dcname, addr)); - return True; - } - if ((sec == SEC_ADS) && (domain->alt_name != NULL)) { char *sitename = NULL; diff -Nru samba-4.22.2+dfsg/source3/winbindd/winbindd_dual.c samba-4.22.3+dfsg/source3/winbindd/winbindd_dual.c --- samba-4.22.2+dfsg/source3/winbindd/winbindd_dual.c 2025-02-06 13:31:54.620149100 +0300 +++ samba-4.22.3+dfsg/source3/winbindd/winbindd_dual.c 2025-07-07 19:18:35.405030700 +0300 @@ -532,6 +532,7 @@ struct wb_domain_request_state *state = tevent_req_data( req, struct wb_domain_request_state); struct winbindd_domain *domain = state->domain; + const char *domain_name = NULL; struct tevent_req *subreq = NULL; size_t shortest_queue_length; @@ -604,8 +605,11 @@ * which is indicated by DS_RETURN_DNS_NAME. * For NT4 domains we still get the netbios name. */ + + domain_name = find_dns_domain_name(state->domain->name); + subreq = wb_dsgetdcname_send(state, state->ev, - state->domain->name, + domain_name, NULL, /* domain_guid */ NULL, /* site_name */ DS_RETURN_DNS_NAME); /* flags */ diff -Nru samba-4.22.2+dfsg/source3/winbindd/winbindd_dual_srv.c samba-4.22.3+dfsg/source3/winbindd/winbindd_dual_srv.c --- samba-4.22.2+dfsg/source3/winbindd/winbindd_dual_srv.c 2025-02-06 13:31:54.620149100 +0300 +++ samba-4.22.3+dfsg/source3/winbindd/winbindd_dual_srv.c 2025-07-07 19:18:35.405030700 +0300 @@ -660,106 +660,11 @@ NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r) { - struct winbindd_domain *domain = wb_child_domain(); - struct rpc_pipe_client *netlogon_pipe; - struct netr_DsRGetDCNameInfo *dc_info; - NTSTATUS status; - WERROR werr; - unsigned int orig_timeout; - struct dcerpc_binding_handle *b; - bool retry = false; - bool try_dsrgetdcname = false; - - if (domain == NULL) { - return dsgetdcname(p->mem_ctx, global_messaging_context(), - r->in.domain_name, r->in.domain_guid, - r->in.site_name ? r->in.site_name : "", - r->in.flags, - r->out.dc_info); - } - - if (domain->active_directory) { - try_dsrgetdcname = true; - } - -reconnect: - status = cm_connect_netlogon(domain, &netlogon_pipe); - - reset_cm_connection_on_error(domain, NULL, status); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("Can't contact the NETLOGON pipe\n")); - return status; - } - - b = netlogon_pipe->binding_handle; - - /* This call can take a long time - allow the server to time out. - 35 seconds should do it. */ - - orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); - - if (try_dsrgetdcname) { - status = dcerpc_netr_DsRGetDCName(b, - p->mem_ctx, domain->dcname, - r->in.domain_name, NULL, r->in.domain_guid, - r->in.flags, r->out.dc_info, &werr); - if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) { - goto done; - } - if (!retry && - reset_cm_connection_on_error(domain, NULL, status)) - { - retry = true; - goto reconnect; - } - try_dsrgetdcname = false; - retry = false; - } - - /* - * Fallback to less capable methods - */ - - dc_info = talloc_zero(r->out.dc_info, struct netr_DsRGetDCNameInfo); - if (dc_info == NULL) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - - if (r->in.flags & DS_PDC_REQUIRED) { - status = dcerpc_netr_GetDcName(b, - p->mem_ctx, domain->dcname, - r->in.domain_name, &dc_info->dc_unc, &werr); - } else { - status = dcerpc_netr_GetAnyDCName(b, - p->mem_ctx, domain->dcname, - r->in.domain_name, &dc_info->dc_unc, &werr); - } - - if (!retry && reset_cm_connection_on_error(domain, b, status)) { - retry = true; - goto reconnect; - } - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", - nt_errstr(status))); - goto done; - } - if (!W_ERROR_IS_OK(werr)) { - DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", - win_errstr(werr))); - status = werror_to_ntstatus(werr); - goto done; - } - - *r->out.dc_info = dc_info; - status = NT_STATUS_OK; - -done: - /* And restore our original timeout. */ - rpccli_set_timeout(netlogon_pipe, orig_timeout); - - return status; + return dsgetdcname(p->mem_ctx, global_messaging_context(), + r->in.domain_name, r->in.domain_guid, + r->in.site_name ? r->in.site_name : "", + r->in.flags, + r->out.dc_info); } NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r) diff -Nru samba-4.22.2+dfsg/source3/winbindd/winbindd_proto.h samba-4.22.3+dfsg/source3/winbindd/winbindd_proto.h --- samba-4.22.2+dfsg/source3/winbindd/winbindd_proto.h 2025-02-06 13:31:54.624149000 +0300 +++ samba-4.22.3+dfsg/source3/winbindd/winbindd_proto.h 2025-07-07 19:18:35.405030700 +0300 @@ -608,6 +608,7 @@ struct dom_sid **sids, uint32_t *num_sids); bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr, struct unixid **pxids, uint32_t *pnum_xids); +const char *find_dns_domain_name(const char *domain_name); /* The following definitions come from winbindd/winbindd_wins.c */ diff -Nru samba-4.22.2+dfsg/source3/winbindd/winbindd_util.c samba-4.22.3+dfsg/source3/winbindd/winbindd_util.c --- samba-4.22.2+dfsg/source3/winbindd/winbindd_util.c 2025-02-06 13:31:54.624149000 +0300 +++ samba-4.22.3+dfsg/source3/winbindd/winbindd_util.c 2025-07-07 19:18:35.409030700 +0300 @@ -2230,3 +2230,22 @@ TALLOC_FREE(xids); return false; } + +/** + * Helper to extract the DNS Domain Name from a struct winbindd_domain + */ +const char *find_dns_domain_name(const char *domain_name) +{ + struct winbindd_domain *wbdom = NULL; + + wbdom = find_domain_from_name(domain_name); + if (wbdom == NULL) { + return domain_name; + } + + if (wbdom->active_directory && wbdom->alt_name != NULL) { + return wbdom->alt_name; + } + + return wbdom->name; +}
