From e259c6c4bb84129fb996d635078505bf017f9300 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Wed, 23 Jul 2025 15:09:21 +0200 Subject: [PATCH 1/4] s3:winbindd: Resolve dc name using CLDAP also for ROLE_IPA_DC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit server role ROLE_IPA_DC (introduced in e2d5b4d) needs special handling in dcip_check_name(). We should resolve the DC name using: - CLDAP in dcip_check_name_ads() instead of: - NETBIOS in nbt_getdc() that fails if Windows is not providing netbios. The impacted environment has: domain->alt_name = example.com domain->active_directory = 1 security = USER server role = ROLE_IPA_DC BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891 Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Pair-programmed-with: Andreas Schneider Reviewed-by: Alexander Bokovoy (cherry picked from commit 4921c3304e5e0480e5bb80a757b3f04b3b92c3b1) --- source3/winbindd/winbindd_cm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 741761f606b..a14f42001e9 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1098,7 +1098,9 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx, if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) { is_ad_domain = true; - } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) { + } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || + lp_server_role() == ROLE_IPA_DC) + { is_ad_domain = domain->active_directory; } -- 2.50.1 From 9adbba3fc68f1f04abaf8e9877795699f72cd9d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 4 Aug 2025 08:35:29 +0200 Subject: [PATCH 2/4] docs-xml: Make smb.conf 'server role' value consistent with ROLE_IPA_DC in libparam MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891 Signed-off-by: Pavel Filipenský Reviewed-by: Alexander Bokovoy Reviewed-by: Andreas Schneider (cherry picked from commit d88268102ade07fab345e04109818d97d8843a14) --- docs-xml/smbdotconf/security/serverrole.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml index 4ea4e4751ee..40244e125ce 100644 --- a/docs-xml/smbdotconf/security/serverrole.xml +++ b/docs-xml/smbdotconf/security/serverrole.xml @@ -78,7 +78,7 @@ url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4 HOWTO - SERVER ROLE = IPA DOMAIN CONTROLLER + SERVER ROLE = IPA PRIMARY DOMAIN CONTROLLER This mode of operation runs Samba in a hybrid mode for IPA domain controller, providing forest trust to Active Directory. -- 2.50.1 From 4802593cc90a690c48d8b7c820a20386f51d3092 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 4 Aug 2025 23:26:02 +0200 Subject: [PATCH 3/4] s3:netlogon: IPA DC is the PDC as well - allow ROLE_IPA_DC in _netr_DsRGetForestTrustInformation() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891 Signed-off-by: Pavel Filipenský Reviewed-by: Alexander Bokovoy Reviewed-by: Andreas Schneider (cherry picked from commit 1dbafcc4e4ff8f39af5ca737b30e9821413dd1f2) --- source3/rpc_server/netlogon/srv_netlog_nt.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 896e4e60d5a..c3759a558ca 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -2655,7 +2655,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p, return WERR_INVALID_FLAGS; } - if ((r->in.flags & DS_GFTI_UPDATE_TDO) && (lp_server_role() != ROLE_DOMAIN_PDC)) { + if ((r->in.flags & DS_GFTI_UPDATE_TDO) && + (lp_server_role() != ROLE_DOMAIN_PDC) && + (lp_server_role() != ROLE_IPA_DC)) + { p->fault_state = DCERPC_FAULT_OP_RNG_ERROR; return WERR_NERR_NOTPRIMARY; } -- 2.50.1 From e742e3ebfddd1cc0028f5da4b7c78f60ffd03de9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 4 Aug 2025 23:28:24 +0200 Subject: [PATCH 4/4] s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in gensec MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891 Signed-off-by: Pavel Filipenský Reviewed-by: Alexander Bokovoy Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Tue Aug 5 14:51:51 UTC 2025 on atb-devel-224 (cherry picked from commit a4dff82e45308db3ccabac2a55c03d52f04d7b4d) --- source3/utils/ntlm_auth.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 905f33840b1..d39956c3bee 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -1355,7 +1355,11 @@ static NTSTATUS ntlm_auth_prepare_gensec_server(TALLOC_CTX *mem_ctx, cli_credentials_set_conf(server_credentials, lp_ctx); - if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) { + if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || + lp_server_role() == ROLE_IPA_DC || + lp_security() == SEC_ADS || + USE_KERBEROS_KEYTAB) + { cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED, CRED_SPECIFIED); -- 2.50.1