The branch, v4-21-test has been updated
via 2a52c976070 s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in
gensec
via 7bf2051aadd s3:netlogon: IPA DC is the PDC as well - allow
ROLE_IPA_DC in _netr_DsRGetForestTrustInformation()
via 1c6b6494735 docs-xml: Make smb.conf 'server role' value consistent
with ROLE_IPA_DC in libparam
via a8e2ea60831 s3:winbindd: Resolve dc name using CLDAP also for
ROLE_IPA_DC
from 9ca7d637aae s3-net: fix "net ads kerberos" krb5ccname handling
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-test
- Log -----------------------------------------------------------------
commit 2a52c97607031dab1dd9a14a9a057db99ea582b8
Author: Pavel Filipenský <[email protected]>
Date: Mon Aug 4 23:28:24 2025 +0200
s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in gensec
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Andreas Schneider <[email protected]>
Autobuild-Date(master): Tue Aug 5 14:51:51 UTC 2025 on atb-devel-224
(cherry picked from commit a4dff82e45308db3ccabac2a55c03d52f04d7b4d)
Autobuild-User(v4-21-test): Jule Anger <[email protected]>
Autobuild-Date(v4-21-test): Wed Aug 6 13:07:38 UTC 2025 on atb-devel-224
commit 7bf2051aadd45562d5e99b10b9eced96cb9592e3
Author: Pavel Filipenský <[email protected]>
Date: Mon Aug 4 23:26:02 2025 +0200
s3:netlogon: IPA DC is the PDC as well - allow ROLE_IPA_DC in
_netr_DsRGetForestTrustInformation()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 1dbafcc4e4ff8f39af5ca737b30e9821413dd1f2)
commit 1c6b6494735920ec01d1b252a3c8b9b7835c0c80
Author: Pavel Filipenský <[email protected]>
Date: Mon Aug 4 08:35:29 2025 +0200
docs-xml: Make smb.conf 'server role' value consistent with ROLE_IPA_DC in
libparam
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit d88268102ade07fab345e04109818d97d8843a14)
commit a8e2ea60831fca3e5dc6efea3520cea60bffdf9a
Author: Pavel Filipenský <[email protected]>
Date: Wed Jul 23 15:09:21 2025 +0200
s3:winbindd: Resolve dc name using CLDAP also for ROLE_IPA_DC
server role ROLE_IPA_DC (introduced in e2d5b4d) needs special handling
in dcip_check_name(). We should resolve the DC name using:
- CLDAP in dcip_check_name_ads()
instead of:
- NETBIOS in nbt_getdc() that fails if Windows is not providing netbios.
The impacted environment has:
domain->alt_name = example.com
domain->active_directory = 1
security = USER
server role = ROLE_IPA_DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <[email protected]>
Signed-off-by: Andreas Schneider <[email protected]>
Pair-programmed-with: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
(cherry picked from commit 4921c3304e5e0480e5bb80a757b3f04b3b92c3b1)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/serverrole.xml | 2 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 5 ++++-
source3/utils/ntlm_auth.c | 6 +++++-
source3/winbindd/winbindd_cm.c | 4 +++-
4 files changed, 13 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/serverrole.xml
b/docs-xml/smbdotconf/security/serverrole.xml
index 4ea4e4751ee..40244e125ce 100644
--- a/docs-xml/smbdotconf/security/serverrole.xml
+++ b/docs-xml/smbdotconf/security/serverrole.xml
@@ -78,7 +78,7 @@
url="http://wiki.samba.org/index.php/Samba4/HOWTO";>Samba4
HOWTO</ulink></para>
- <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN
CONTROLLER</emphasis></para>
+ <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA PRIMARY DOMAIN
CONTROLLER</emphasis></para>
<para>This mode of operation runs Samba in a hybrid mode for IPA
domain controller, providing forest trust to Active Directory.
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c
b/source3/rpc_server/netlogon/srv_netlog_nt.c
index e5abcbdbd84..53ace9e2a46 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -2655,7 +2655,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct
pipes_struct *p,
return WERR_INVALID_FLAGS;
}
- if ((r->in.flags & DS_GFTI_UPDATE_TDO) && (lp_server_role() !=
ROLE_DOMAIN_PDC)) {
+ if ((r->in.flags & DS_GFTI_UPDATE_TDO) &&
+ (lp_server_role() != ROLE_DOMAIN_PDC) &&
+ (lp_server_role() != ROLE_IPA_DC))
+ {
p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NERR_NOTPRIMARY;
}
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index e9b644724d9..df1484ecd21 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1355,7 +1355,11 @@ static NTSTATUS
ntlm_auth_prepare_gensec_server(TALLOC_CTX *mem_ctx,
cli_credentials_set_conf(server_credentials, lp_ctx);
- if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_security() ==
SEC_ADS || USE_KERBEROS_KEYTAB) {
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC ||
+ lp_server_role() == ROLE_IPA_DC ||
+ lp_security() == SEC_ADS ||
+ USE_KERBEROS_KEYTAB)
+ {
cli_credentials_set_kerberos_state(server_credentials,
CRED_USE_KERBEROS_DESIRED,
CRED_SPECIFIED);
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 53800988306..bb2e4c0405d 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1089,7 +1089,9 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx,
if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) {
is_ad_domain = true;
- } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC ||
+ lp_server_role() == ROLE_IPA_DC)
+ {
is_ad_domain = domain->active_directory;
}
--
Samba Shared Repository
