From 79c743233c6beb744fe56f8b67f0d18ea84f7fa8 Mon Sep 17 00:00:00 2001 From: Andy Zaugg Date: Fri, 10 Oct 2025 20:13:31 +0000 Subject: [PATCH 1/3] Fix samba-winbind netlogon issues A change to windows domain controllers prevents winbind from auth againt them, backporting fixes from 4.22 branch to address this in mariner2 --- SPECS-EXTENDED/samba/cve-patch.patch | 466 +++++++++++++++++++++++++++ SPECS-EXTENDED/samba/samba.spec | 8 +- 2 files changed, 473 insertions(+), 1 deletion(-) create mode 100644 SPECS-EXTENDED/samba/cve-patch.patch diff --git a/SPECS-EXTENDED/samba/cve-patch.patch b/SPECS-EXTENDED/samba/cve-patch.patch new file mode 100644 index 00000000000..1bd51a961af --- /dev/null +++ b/SPECS-EXTENDED/samba/cve-patch.patch @@ -0,0 +1,466 @@ +commit 46390f65909df6a70355bea00787fc853dc33957 +Author: Günther Deschner +Date: Wed Jul 2 21:59:48 2025 +0200 + + s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name + + when winbind calls to dsgetdcname internally, make sure to + prefer the DNS domain name if we have it. Makes DNS lookups much more + likely to succeed. + + BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 + + Guenther + + Signed-off-by: Guenther Deschner + Reviewed-by: Andreas Schneider + Reviewed-by: Ralph Boehme + + Autobuild-User(master): Ralph Böhme + Autobuild-Date(master): Mon Jul 7 10:44:37 UTC 2025 on atb-devel-224 + +diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c +index 2eb61406fc5..468eb5a50b8 100644 +--- a/source3/winbindd/wb_queryuser.c ++++ b/source3/winbindd/wb_queryuser.c +@@ -215,9 +215,19 @@ static void wb_queryuser_done(struct tevent_req *subreq) + + if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && + !state->tried_dclookup) { +- subreq = wb_dsgetdcname_send( +- state, state->ev, state->info->domain_name, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ const char *domain_name = find_dns_domain_name( ++ state->info->domain_name); ++ ++ D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling " ++ "wb_dsgetdcname_send(%s)\n", ++ domain_name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c +index 7ab8dd133fd..4c4af782205 100644 +--- a/source3/winbindd/wb_sids2xids.c ++++ b/source3/winbindd/wb_sids2xids.c +@@ -306,12 +306,22 @@ static void wb_sids2xids_done(struct tevent_req *subreq) + !state->tried_dclookup) { + + struct lsa_DomainInfo *d; ++ const char *domain_name = NULL; + + d = &state->idmap_doms.domains[state->dom_index]; + +- subreq = wb_dsgetdcname_send( +- state, state->ev, d->name.string, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ domain_name = find_dns_domain_name(d->name.string); ++ ++ D_DEBUG("Domain controller not found. Calling " ++ "wb_dsgetdcname_send(%s) to get it.\n", ++ domain_name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c +index 929a3b8e425..9557a097e2a 100644 +--- a/source3/winbindd/wb_xids2sids.c ++++ b/source3/winbindd/wb_xids2sids.c +@@ -348,9 +348,15 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq) + if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && + !state->tried_dclookup) { + +- subreq = wb_dsgetdcname_send( +- state, state->ev, state->dom_map->name, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ const char *domain_name = find_dns_domain_name( ++ state->dom_map->name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c +index 73715b4b57d..8a480bdad87 100644 +--- a/source3/winbindd/winbindd_dual.c ++++ b/source3/winbindd/winbindd_dual.c +@@ -523,6 +523,7 @@ static void wb_domain_request_trigger(struct tevent_req *req, + struct wb_domain_request_state *state = tevent_req_data( + req, struct wb_domain_request_state); + struct winbindd_domain *domain = state->domain; ++ const char *domain_name = NULL; + struct tevent_req *subreq = NULL; + size_t shortest_queue_length; + +@@ -593,8 +594,11 @@ static void wb_domain_request_trigger(struct tevent_req *req, + * which is indicated by DS_RETURN_DNS_NAME. + * For NT4 domains we still get the netbios name. + */ ++ ++ domain_name = find_dns_domain_name(state->domain->name); ++ + subreq = wb_dsgetdcname_send(state, state->ev, +- state->domain->name, ++ domain_name, + NULL, /* domain_guid */ + NULL, /* site_name */ + DS_RETURN_DNS_NAME); /* flags */ +diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h +index 2a829b0171a..7afa85fdfba 100644 +--- a/source3/winbindd/winbindd_proto.h ++++ b/source3/winbindd/winbindd_proto.h +@@ -529,6 +529,7 @@ bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr, + struct dom_sid **sids, uint32_t *num_sids); + bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr, + struct unixid **pxids, uint32_t *pnum_xids); ++const char *find_dns_domain_name(const char *domain_name); + + /* The following definitions come from winbindd/winbindd_wins.c */ + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index c2f02b74211..2e03c708de6 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -2225,3 +2225,22 @@ fail: + TALLOC_FREE(xids); + return false; + } ++ ++/** ++ * Helper to extract the DNS Domain Name from a struct winbindd_domain ++ */ ++const char *find_dns_domain_name(const char *domain_name) ++{ ++ struct winbindd_domain *wbdom = NULL; ++ ++ wbdom = find_domain_from_name(domain_name); ++ if (wbdom == NULL) { ++ return domain_name; ++ } ++ ++ if (wbdom->active_directory && wbdom->alt_name != NULL) { ++ return wbdom->alt_name; ++ } ++ ++ return wbdom->name; ++} + +commit b93c03c67724f9efd5023bfe37af92e33a0a2b5d +Author: Stefan Metzmacher +Date: Fri May 9 09:38:41 2025 +0200 + + s3:winbindd: avoid using any netlogon call to get a dc name + + BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 + + Signed-off-by: Stefan Metzmacher + Reviewed-by: Guenther Deschner + Reviewed-by: Andreas Schneider + Reviewed-by: Ralph Boehme + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 0e671ca22be..d487d264dfe 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -776,135 +776,6 @@ static bool cm_is_ipc_credentials(struct cli_credentials *creds) + return ret; + } + +-static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, +- fstring dcname, +- struct sockaddr_storage *dc_ss, +- uint32_t request_flags) +-{ +- struct winbindd_domain *our_domain = NULL; +- struct rpc_pipe_client *netlogon_pipe = NULL; +- NTSTATUS result; +- WERROR werr; +- TALLOC_CTX *mem_ctx; +- unsigned int orig_timeout; +- const char *tmp = NULL; +- const char *p; +- struct dcerpc_binding_handle *b; +- +- /* Hmmmm. We can only open one connection to the NETLOGON pipe at the +- * moment.... */ +- +- if (IS_DC) { +- return False; +- } +- +- if (domain->primary) { +- return False; +- } +- +- our_domain = find_our_domain(); +- +- if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) { +- return False; +- } +- +- result = cm_connect_netlogon(our_domain, &netlogon_pipe); +- if (!NT_STATUS_IS_OK(result)) { +- talloc_destroy(mem_ctx); +- return False; +- } +- +- b = netlogon_pipe->binding_handle; +- +- /* This call can take a long time - allow the server to time out. +- 35 seconds should do it. */ +- +- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); +- +- if (our_domain->active_directory) { +- struct netr_DsRGetDCNameInfo *domain_info = NULL; +- +- /* +- * TODO request flags are not respected in the server +- * (and in some cases, like REQUIRE_PDC, causes an error) +- */ +- result = dcerpc_netr_DsRGetDCName(b, +- mem_ctx, +- our_domain->dcname, +- domain->name, +- NULL, +- NULL, +- request_flags|DS_RETURN_DNS_NAME, +- &domain_info, +- &werr); +- if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) { +- tmp = talloc_strdup( +- mem_ctx, domain_info->dc_unc); +- if (tmp == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); +- talloc_destroy(mem_ctx); +- return false; +- } +- if (domain->alt_name == NULL) { +- domain->alt_name = talloc_strdup(domain, +- domain_info->domain_name); +- if (domain->alt_name == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); +- talloc_destroy(mem_ctx); +- return false; +- } +- } +- if (domain->forest_name == NULL) { +- domain->forest_name = talloc_strdup(domain, +- domain_info->forest_name); +- if (domain->forest_name == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); +- talloc_destroy(mem_ctx); +- return false; +- } +- } +- } +- } else { +- result = dcerpc_netr_GetAnyDCName(b, mem_ctx, +- our_domain->dcname, +- domain->name, +- &tmp, +- &werr); +- } +- +- /* And restore our original timeout. */ +- rpccli_set_timeout(netlogon_pipe, orig_timeout); +- +- if (!NT_STATUS_IS_OK(result)) { +- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", +- nt_errstr(result))); +- talloc_destroy(mem_ctx); +- return false; +- } +- +- if (!W_ERROR_IS_OK(werr)) { +- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", +- win_errstr(werr))); +- talloc_destroy(mem_ctx); +- return false; +- } +- +- /* dcerpc_netr_GetAnyDCName gives us a name with \\ */ +- p = strip_hostname(tmp); +- +- fstrcpy(dcname, p); +- +- talloc_destroy(mem_ctx); +- +- DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname)); +- +- if (!resolve_name(dcname, dc_ss, 0x20, true)) { +- return False; +- } +- +- return True; +-} +- + /** + * Helper function to assemble trust password and account name + */ +@@ -1530,27 +1401,11 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, + { + fstring dcname; + struct sockaddr_storage ss; +- struct ip_service *ip_list = NULL; +- int iplist_size = 0; +- int i; +- bool is_our_domain; ++ struct samba_sockaddr *sa_list = NULL; ++ size_t salist_size = 0; ++ size_t i; + enum security_types sec = (enum security_types)lp_security(); + +- is_our_domain = strequal(domain->name, lp_workgroup()); +- +- /* If not our domain, get the preferred DC, by asking our primary DC */ +- if ( !is_our_domain +- && get_dc_name_via_netlogon(domain, dcname, &ss, request_flags) +- && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, +- num_dcs) ) +- { +- char addr[INET6_ADDRSTRLEN]; +- print_sockaddr(addr, sizeof(addr), &ss); +- DEBUG(10, ("Retrieved DC %s at %s via netlogon\n", +- dcname, addr)); +- return True; +- } +- + if ((sec == SEC_ADS) && (domain->alt_name != NULL)) { + char *sitename = NULL; + +diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c +index 13345caa41b..fccc1f0aff5 100644 +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -552,106 +552,11 @@ NTSTATUS _wbint_QueryUserRidList(struct pipes_struct *p, + + NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r) + { +- struct winbindd_domain *domain = wb_child_domain(); +- struct rpc_pipe_client *netlogon_pipe; +- struct netr_DsRGetDCNameInfo *dc_info; +- NTSTATUS status; +- WERROR werr; +- unsigned int orig_timeout; +- struct dcerpc_binding_handle *b; +- bool retry = false; +- bool try_dsrgetdcname = false; +- +- if (domain == NULL) { +- return dsgetdcname(p->mem_ctx, global_messaging_context(), +- r->in.domain_name, r->in.domain_guid, +- r->in.site_name ? r->in.site_name : "", +- r->in.flags, +- r->out.dc_info); +- } +- +- if (domain->active_directory) { +- try_dsrgetdcname = true; +- } +- +-reconnect: +- status = cm_connect_netlogon(domain, &netlogon_pipe); +- +- reset_cm_connection_on_error(domain, NULL, status); +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10, ("Can't contact the NETLOGON pipe\n")); +- return status; +- } +- +- b = netlogon_pipe->binding_handle; +- +- /* This call can take a long time - allow the server to time out. +- 35 seconds should do it. */ +- +- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); +- +- if (try_dsrgetdcname) { +- status = dcerpc_netr_DsRGetDCName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, NULL, r->in.domain_guid, +- r->in.flags, r->out.dc_info, &werr); +- if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) { +- goto done; +- } +- if (!retry && +- reset_cm_connection_on_error(domain, NULL, status)) +- { +- retry = true; +- goto reconnect; +- } +- try_dsrgetdcname = false; +- retry = false; +- } +- +- /* +- * Fallback to less capable methods +- */ +- +- dc_info = talloc_zero(r->out.dc_info, struct netr_DsRGetDCNameInfo); +- if (dc_info == NULL) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- +- if (r->in.flags & DS_PDC_REQUIRED) { +- status = dcerpc_netr_GetDcName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, &dc_info->dc_unc, &werr); +- } else { +- status = dcerpc_netr_GetAnyDCName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, &dc_info->dc_unc, &werr); +- } +- +- if (!retry && reset_cm_connection_on_error(domain, b, status)) { +- retry = true; +- goto reconnect; +- } +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", +- nt_errstr(status))); +- goto done; +- } +- if (!W_ERROR_IS_OK(werr)) { +- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", +- win_errstr(werr))); +- status = werror_to_ntstatus(werr); +- goto done; +- } +- +- *r->out.dc_info = dc_info; +- status = NT_STATUS_OK; +- +-done: +- /* And restore our original timeout. */ +- rpccli_set_timeout(netlogon_pipe, orig_timeout); +- +- return status; ++ return dsgetdcname(p->mem_ctx, global_messaging_context(), ++ r->in.domain_name, r->in.domain_guid, ++ r->in.site_name ? r->in.site_name : "", ++ r->in.flags, ++ r->out.dc_info); + } + + NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r) diff --git a/SPECS-EXTENDED/samba/samba.spec b/SPECS-EXTENDED/samba/samba.spec index 635c17153e0..8e579128fd8 100644 --- a/SPECS-EXTENDED/samba/samba.spec +++ b/SPECS-EXTENDED/samba/samba.spec @@ -85,7 +85,7 @@ Name: samba Version: 4.12.5 -Release: 6%{?dist} +Release: 7%{?dist} %define samba_depver %{version}-%{release} @@ -247,6 +247,8 @@ BuildRequires: krb5-server >= %{required_mit_krb5} BuildRequires: bind %endif +Patch0: netlogon-fixes.patch + # filter out perl requirements pulled in from examples in the docdir. %global __requires_exclude_from ^%{_docdir}/.*$ %global __provides_exclude_from ^%{_docdir}/.*$ @@ -796,6 +798,7 @@ and use CTDB instead. %prep +%autosetup -p1 xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %autosetup -n samba-%{version}%{pre_release} -p1 # Remove `xsltproc` binary if installed. This is only used for docs, which we do not build @@ -3438,6 +3441,9 @@ fi %endif %changelog +* Fri Oct 10 2025 Andy Zaugg - 4.12.5-7 +- Fix winbind netlogon issue with Windows security update 2025 + * Wed Apr 17 2024 Andrew Phelps - 4.12.5-6 - Fix build issue with docs by removing xsltproc From 3d69663c23efc417eb2202c3a4b44f0df443b976 Mon Sep 17 00:00:00 2001 From: Andy Zaugg Date: Tue, 14 Oct 2025 13:30:47 +0000 Subject: [PATCH 2/3] Updating patch name --- .../samba/CVE-2025-49716-netlogon.patch | 457 ++++++++++++++++++ SPECS-EXTENDED/samba/samba.spec | 4 +- 2 files changed, 459 insertions(+), 2 deletions(-) create mode 100644 SPECS-EXTENDED/samba/CVE-2025-49716-netlogon.patch diff --git a/SPECS-EXTENDED/samba/CVE-2025-49716-netlogon.patch b/SPECS-EXTENDED/samba/CVE-2025-49716-netlogon.patch new file mode 100644 index 00000000000..73c3f26f1e0 --- /dev/null +++ b/SPECS-EXTENDED/samba/CVE-2025-49716-netlogon.patch @@ -0,0 +1,457 @@ +commit da31286de98918b4a3269bd3723df619ca788018 +Author: Günther Deschner +Date: Wed Jul 2 21:59:48 2025 +0200 + + s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name + + when winbind calls to dsgetdcname internally, make sure to + prefer the DNS domain name if we have it. Makes DNS lookups much more + likely to succeed. + + BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 + + Guenther + + Signed-off-by: Guenther Deschner + Reviewed-by: Andreas Schneider + Reviewed-by: Ralph Boehme + + Autobuild-User(master): Ralph Böhme + Autobuild-Date(master): Mon Jul 7 10:44:37 UTC 2025 on atb-devel-224 + +diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c +index 2eb61406fc5..468eb5a50b8 100644 +--- a/source3/winbindd/wb_queryuser.c ++++ b/source3/winbindd/wb_queryuser.c +@@ -215,9 +215,19 @@ static void wb_queryuser_done(struct tevent_req *subreq) + + if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && + !state->tried_dclookup) { +- subreq = wb_dsgetdcname_send( +- state, state->ev, state->info->domain_name, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ const char *domain_name = find_dns_domain_name( ++ state->info->domain_name); ++ ++ D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling " ++ "wb_dsgetdcname_send(%s)\n", ++ domain_name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c +index 7ab8dd133fd..4c4af782205 100644 +--- a/source3/winbindd/wb_sids2xids.c ++++ b/source3/winbindd/wb_sids2xids.c +@@ -306,12 +306,22 @@ static void wb_sids2xids_done(struct tevent_req *subreq) + !state->tried_dclookup) { + + struct lsa_DomainInfo *d; ++ const char *domain_name = NULL; + + d = &state->idmap_doms.domains[state->dom_index]; + +- subreq = wb_dsgetdcname_send( +- state, state->ev, d->name.string, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ domain_name = find_dns_domain_name(d->name.string); ++ ++ D_DEBUG("Domain controller not found. Calling " ++ "wb_dsgetdcname_send(%s) to get it.\n", ++ domain_name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c +index 929a3b8e425..9557a097e2a 100644 +--- a/source3/winbindd/wb_xids2sids.c ++++ b/source3/winbindd/wb_xids2sids.c +@@ -348,9 +348,15 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq) + if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && + !state->tried_dclookup) { + +- subreq = wb_dsgetdcname_send( +- state, state->ev, state->dom_map->name, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ const char *domain_name = find_dns_domain_name( ++ state->dom_map->name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c +index 73715b4b57d..8a480bdad87 100644 +--- a/source3/winbindd/winbindd_dual.c ++++ b/source3/winbindd/winbindd_dual.c +@@ -523,6 +523,7 @@ static void wb_domain_request_trigger(struct tevent_req *req, + struct wb_domain_request_state *state = tevent_req_data( + req, struct wb_domain_request_state); + struct winbindd_domain *domain = state->domain; ++ const char *domain_name = NULL; + struct tevent_req *subreq = NULL; + size_t shortest_queue_length; + +@@ -593,8 +594,11 @@ static void wb_domain_request_trigger(struct tevent_req *req, + * which is indicated by DS_RETURN_DNS_NAME. + * For NT4 domains we still get the netbios name. + */ ++ ++ domain_name = find_dns_domain_name(state->domain->name); ++ + subreq = wb_dsgetdcname_send(state, state->ev, +- state->domain->name, ++ domain_name, + NULL, /* domain_guid */ + NULL, /* site_name */ + DS_RETURN_DNS_NAME); /* flags */ +diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h +index 2a829b0171a..7afa85fdfba 100644 +--- a/source3/winbindd/winbindd_proto.h ++++ b/source3/winbindd/winbindd_proto.h +@@ -529,6 +529,7 @@ bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr, + struct dom_sid **sids, uint32_t *num_sids); + bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr, + struct unixid **pxids, uint32_t *pnum_xids); ++const char *find_dns_domain_name(const char *domain_name); + + /* The following definitions come from winbindd/winbindd_wins.c */ + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index c2f02b74211..2e03c708de6 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -2225,3 +2225,22 @@ fail: + TALLOC_FREE(xids); + return false; + } ++ ++/** ++ * Helper to extract the DNS Domain Name from a struct winbindd_domain ++ */ ++const char *find_dns_domain_name(const char *domain_name) ++{ ++ struct winbindd_domain *wbdom = NULL; ++ ++ wbdom = find_domain_from_name(domain_name); ++ if (wbdom == NULL) { ++ return domain_name; ++ } ++ ++ if (wbdom->active_directory && wbdom->alt_name != NULL) { ++ return wbdom->alt_name; ++ } ++ ++ return wbdom->name; ++} + +commit 0a66a0ed2773f2456c1b70c4f91894085a49f790 +Author: Stefan Metzmacher +Date: Fri May 9 09:38:41 2025 +0200 + + s3:winbindd: avoid using any netlogon call to get a dc name + + BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 + + Signed-off-by: Stefan Metzmacher + Reviewed-by: Guenther Deschner + Reviewed-by: Andreas Schneider + Reviewed-by: Ralph Boehme + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 0e671ca22be..13c29c0cdde 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -776,135 +776,6 @@ static bool cm_is_ipc_credentials(struct cli_credentials *creds) + return ret; + } + +-static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, +- fstring dcname, +- struct sockaddr_storage *dc_ss, +- uint32_t request_flags) +-{ +- struct winbindd_domain *our_domain = NULL; +- struct rpc_pipe_client *netlogon_pipe = NULL; +- NTSTATUS result; +- WERROR werr; +- TALLOC_CTX *mem_ctx; +- unsigned int orig_timeout; +- const char *tmp = NULL; +- const char *p; +- struct dcerpc_binding_handle *b; +- +- /* Hmmmm. We can only open one connection to the NETLOGON pipe at the +- * moment.... */ +- +- if (IS_DC) { +- return False; +- } +- +- if (domain->primary) { +- return False; +- } +- +- our_domain = find_our_domain(); +- +- if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) { +- return False; +- } +- +- result = cm_connect_netlogon(our_domain, &netlogon_pipe); +- if (!NT_STATUS_IS_OK(result)) { +- talloc_destroy(mem_ctx); +- return False; +- } +- +- b = netlogon_pipe->binding_handle; +- +- /* This call can take a long time - allow the server to time out. +- 35 seconds should do it. */ +- +- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); +- +- if (our_domain->active_directory) { +- struct netr_DsRGetDCNameInfo *domain_info = NULL; +- +- /* +- * TODO request flags are not respected in the server +- * (and in some cases, like REQUIRE_PDC, causes an error) +- */ +- result = dcerpc_netr_DsRGetDCName(b, +- mem_ctx, +- our_domain->dcname, +- domain->name, +- NULL, +- NULL, +- request_flags|DS_RETURN_DNS_NAME, +- &domain_info, +- &werr); +- if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) { +- tmp = talloc_strdup( +- mem_ctx, domain_info->dc_unc); +- if (tmp == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); +- talloc_destroy(mem_ctx); +- return false; +- } +- if (domain->alt_name == NULL) { +- domain->alt_name = talloc_strdup(domain, +- domain_info->domain_name); +- if (domain->alt_name == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); +- talloc_destroy(mem_ctx); +- return false; +- } +- } +- if (domain->forest_name == NULL) { +- domain->forest_name = talloc_strdup(domain, +- domain_info->forest_name); +- if (domain->forest_name == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); +- talloc_destroy(mem_ctx); +- return false; +- } +- } +- } +- } else { +- result = dcerpc_netr_GetAnyDCName(b, mem_ctx, +- our_domain->dcname, +- domain->name, +- &tmp, +- &werr); +- } +- +- /* And restore our original timeout. */ +- rpccli_set_timeout(netlogon_pipe, orig_timeout); +- +- if (!NT_STATUS_IS_OK(result)) { +- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", +- nt_errstr(result))); +- talloc_destroy(mem_ctx); +- return false; +- } +- +- if (!W_ERROR_IS_OK(werr)) { +- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", +- win_errstr(werr))); +- talloc_destroy(mem_ctx); +- return false; +- } +- +- /* dcerpc_netr_GetAnyDCName gives us a name with \\ */ +- p = strip_hostname(tmp); +- +- fstrcpy(dcname, p); +- +- talloc_destroy(mem_ctx); +- +- DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname)); +- +- if (!resolve_name(dcname, dc_ss, 0x20, true)) { +- return False; +- } +- +- return True; +-} +- + /** + * Helper function to assemble trust password and account name + */ +@@ -1536,21 +1407,6 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, + bool is_our_domain; + enum security_types sec = (enum security_types)lp_security(); + +- is_our_domain = strequal(domain->name, lp_workgroup()); +- +- /* If not our domain, get the preferred DC, by asking our primary DC */ +- if ( !is_our_domain +- && get_dc_name_via_netlogon(domain, dcname, &ss, request_flags) +- && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, +- num_dcs) ) +- { +- char addr[INET6_ADDRSTRLEN]; +- print_sockaddr(addr, sizeof(addr), &ss); +- DEBUG(10, ("Retrieved DC %s at %s via netlogon\n", +- dcname, addr)); +- return True; +- } +- + if ((sec == SEC_ADS) && (domain->alt_name != NULL)) { + char *sitename = NULL; + +diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c +index 13345caa41b..fccc1f0aff5 100644 +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -552,106 +552,11 @@ NTSTATUS _wbint_QueryUserRidList(struct pipes_struct *p, + + NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r) + { +- struct winbindd_domain *domain = wb_child_domain(); +- struct rpc_pipe_client *netlogon_pipe; +- struct netr_DsRGetDCNameInfo *dc_info; +- NTSTATUS status; +- WERROR werr; +- unsigned int orig_timeout; +- struct dcerpc_binding_handle *b; +- bool retry = false; +- bool try_dsrgetdcname = false; +- +- if (domain == NULL) { +- return dsgetdcname(p->mem_ctx, global_messaging_context(), +- r->in.domain_name, r->in.domain_guid, +- r->in.site_name ? r->in.site_name : "", +- r->in.flags, +- r->out.dc_info); +- } +- +- if (domain->active_directory) { +- try_dsrgetdcname = true; +- } +- +-reconnect: +- status = cm_connect_netlogon(domain, &netlogon_pipe); +- +- reset_cm_connection_on_error(domain, NULL, status); +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10, ("Can't contact the NETLOGON pipe\n")); +- return status; +- } +- +- b = netlogon_pipe->binding_handle; +- +- /* This call can take a long time - allow the server to time out. +- 35 seconds should do it. */ +- +- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); +- +- if (try_dsrgetdcname) { +- status = dcerpc_netr_DsRGetDCName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, NULL, r->in.domain_guid, +- r->in.flags, r->out.dc_info, &werr); +- if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) { +- goto done; +- } +- if (!retry && +- reset_cm_connection_on_error(domain, NULL, status)) +- { +- retry = true; +- goto reconnect; +- } +- try_dsrgetdcname = false; +- retry = false; +- } +- +- /* +- * Fallback to less capable methods +- */ +- +- dc_info = talloc_zero(r->out.dc_info, struct netr_DsRGetDCNameInfo); +- if (dc_info == NULL) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- +- if (r->in.flags & DS_PDC_REQUIRED) { +- status = dcerpc_netr_GetDcName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, &dc_info->dc_unc, &werr); +- } else { +- status = dcerpc_netr_GetAnyDCName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, &dc_info->dc_unc, &werr); +- } +- +- if (!retry && reset_cm_connection_on_error(domain, b, status)) { +- retry = true; +- goto reconnect; +- } +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", +- nt_errstr(status))); +- goto done; +- } +- if (!W_ERROR_IS_OK(werr)) { +- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", +- win_errstr(werr))); +- status = werror_to_ntstatus(werr); +- goto done; +- } +- +- *r->out.dc_info = dc_info; +- status = NT_STATUS_OK; +- +-done: +- /* And restore our original timeout. */ +- rpccli_set_timeout(netlogon_pipe, orig_timeout); +- +- return status; ++ return dsgetdcname(p->mem_ctx, global_messaging_context(), ++ r->in.domain_name, r->in.domain_guid, ++ r->in.site_name ? r->in.site_name : "", ++ r->in.flags, ++ r->out.dc_info); + } + + NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r) diff --git a/SPECS-EXTENDED/samba/samba.spec b/SPECS-EXTENDED/samba/samba.spec index 8e579128fd8..cf40bae8489 100644 --- a/SPECS-EXTENDED/samba/samba.spec +++ b/SPECS-EXTENDED/samba/samba.spec @@ -247,7 +247,7 @@ BuildRequires: krb5-server >= %{required_mit_krb5} BuildRequires: bind %endif -Patch0: netlogon-fixes.patch +Patch0: CVE-2025-49716-netlogon.patch # filter out perl requirements pulled in from examples in the docdir. %global __requires_exclude_from ^%{_docdir}/.*$ @@ -3442,7 +3442,7 @@ fi %changelog * Fri Oct 10 2025 Andy Zaugg - 4.12.5-7 -- Fix winbind netlogon issue with Windows security update 2025 +- Fix winbind netlogon issue with Windows security update 2025 CVE-2025-49716 * Wed Apr 17 2024 Andrew Phelps - 4.12.5-6 - Fix build issue with docs by removing xsltproc From 5df08e4ed106f2751a5cd2ca51c68e7a6b7ff2e6 Mon Sep 17 00:00:00 2001 From: Andy Zaugg Date: Tue, 14 Oct 2025 13:31:34 +0000 Subject: [PATCH 3/3] removed old patch name --- SPECS-EXTENDED/samba/cve-patch.patch | 466 --------------------------- 1 file changed, 466 deletions(-) delete mode 100644 SPECS-EXTENDED/samba/cve-patch.patch diff --git a/SPECS-EXTENDED/samba/cve-patch.patch b/SPECS-EXTENDED/samba/cve-patch.patch deleted file mode 100644 index 1bd51a961af..00000000000 --- a/SPECS-EXTENDED/samba/cve-patch.patch +++ /dev/null @@ -1,466 +0,0 @@ -commit 46390f65909df6a70355bea00787fc853dc33957 -Author: Günther Deschner -Date: Wed Jul 2 21:59:48 2025 +0200 - - s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name - - when winbind calls to dsgetdcname internally, make sure to - prefer the DNS domain name if we have it. Makes DNS lookups much more - likely to succeed. - - BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 - - Guenther - - Signed-off-by: Guenther Deschner - Reviewed-by: Andreas Schneider - Reviewed-by: Ralph Boehme - - Autobuild-User(master): Ralph Böhme - Autobuild-Date(master): Mon Jul 7 10:44:37 UTC 2025 on atb-devel-224 - -diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c -index 2eb61406fc5..468eb5a50b8 100644 ---- a/source3/winbindd/wb_queryuser.c -+++ b/source3/winbindd/wb_queryuser.c -@@ -215,9 +215,19 @@ static void wb_queryuser_done(struct tevent_req *subreq) - - if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && - !state->tried_dclookup) { -- subreq = wb_dsgetdcname_send( -- state, state->ev, state->info->domain_name, NULL, NULL, -- DS_RETURN_DNS_NAME); -+ const char *domain_name = find_dns_domain_name( -+ state->info->domain_name); -+ -+ D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling " -+ "wb_dsgetdcname_send(%s)\n", -+ domain_name); -+ -+ subreq = wb_dsgetdcname_send(state, -+ state->ev, -+ domain_name, -+ NULL, -+ NULL, -+ DS_RETURN_DNS_NAME); - if (tevent_req_nomem(subreq, req)) { - return; - } -diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c -index 7ab8dd133fd..4c4af782205 100644 ---- a/source3/winbindd/wb_sids2xids.c -+++ b/source3/winbindd/wb_sids2xids.c -@@ -306,12 +306,22 @@ static void wb_sids2xids_done(struct tevent_req *subreq) - !state->tried_dclookup) { - - struct lsa_DomainInfo *d; -+ const char *domain_name = NULL; - - d = &state->idmap_doms.domains[state->dom_index]; - -- subreq = wb_dsgetdcname_send( -- state, state->ev, d->name.string, NULL, NULL, -- DS_RETURN_DNS_NAME); -+ domain_name = find_dns_domain_name(d->name.string); -+ -+ D_DEBUG("Domain controller not found. Calling " -+ "wb_dsgetdcname_send(%s) to get it.\n", -+ domain_name); -+ -+ subreq = wb_dsgetdcname_send(state, -+ state->ev, -+ domain_name, -+ NULL, -+ NULL, -+ DS_RETURN_DNS_NAME); - if (tevent_req_nomem(subreq, req)) { - return; - } -diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c -index 929a3b8e425..9557a097e2a 100644 ---- a/source3/winbindd/wb_xids2sids.c -+++ b/source3/winbindd/wb_xids2sids.c -@@ -348,9 +348,15 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq) - if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && - !state->tried_dclookup) { - -- subreq = wb_dsgetdcname_send( -- state, state->ev, state->dom_map->name, NULL, NULL, -- DS_RETURN_DNS_NAME); -+ const char *domain_name = find_dns_domain_name( -+ state->dom_map->name); -+ -+ subreq = wb_dsgetdcname_send(state, -+ state->ev, -+ domain_name, -+ NULL, -+ NULL, -+ DS_RETURN_DNS_NAME); - if (tevent_req_nomem(subreq, req)) { - return; - } -diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c -index 73715b4b57d..8a480bdad87 100644 ---- a/source3/winbindd/winbindd_dual.c -+++ b/source3/winbindd/winbindd_dual.c -@@ -523,6 +523,7 @@ static void wb_domain_request_trigger(struct tevent_req *req, - struct wb_domain_request_state *state = tevent_req_data( - req, struct wb_domain_request_state); - struct winbindd_domain *domain = state->domain; -+ const char *domain_name = NULL; - struct tevent_req *subreq = NULL; - size_t shortest_queue_length; - -@@ -593,8 +594,11 @@ static void wb_domain_request_trigger(struct tevent_req *req, - * which is indicated by DS_RETURN_DNS_NAME. - * For NT4 domains we still get the netbios name. - */ -+ -+ domain_name = find_dns_domain_name(state->domain->name); -+ - subreq = wb_dsgetdcname_send(state, state->ev, -- state->domain->name, -+ domain_name, - NULL, /* domain_guid */ - NULL, /* site_name */ - DS_RETURN_DNS_NAME); /* flags */ -diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h -index 2a829b0171a..7afa85fdfba 100644 ---- a/source3/winbindd/winbindd_proto.h -+++ b/source3/winbindd/winbindd_proto.h -@@ -529,6 +529,7 @@ bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr, - struct dom_sid **sids, uint32_t *num_sids); - bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr, - struct unixid **pxids, uint32_t *pnum_xids); -+const char *find_dns_domain_name(const char *domain_name); - - /* The following definitions come from winbindd/winbindd_wins.c */ - -diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c -index c2f02b74211..2e03c708de6 100644 ---- a/source3/winbindd/winbindd_util.c -+++ b/source3/winbindd/winbindd_util.c -@@ -2225,3 +2225,22 @@ fail: - TALLOC_FREE(xids); - return false; - } -+ -+/** -+ * Helper to extract the DNS Domain Name from a struct winbindd_domain -+ */ -+const char *find_dns_domain_name(const char *domain_name) -+{ -+ struct winbindd_domain *wbdom = NULL; -+ -+ wbdom = find_domain_from_name(domain_name); -+ if (wbdom == NULL) { -+ return domain_name; -+ } -+ -+ if (wbdom->active_directory && wbdom->alt_name != NULL) { -+ return wbdom->alt_name; -+ } -+ -+ return wbdom->name; -+} - -commit b93c03c67724f9efd5023bfe37af92e33a0a2b5d -Author: Stefan Metzmacher -Date: Fri May 9 09:38:41 2025 +0200 - - s3:winbindd: avoid using any netlogon call to get a dc name - - BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 - - Signed-off-by: Stefan Metzmacher - Reviewed-by: Guenther Deschner - Reviewed-by: Andreas Schneider - Reviewed-by: Ralph Boehme - -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c -index 0e671ca22be..d487d264dfe 100644 ---- a/source3/winbindd/winbindd_cm.c -+++ b/source3/winbindd/winbindd_cm.c -@@ -776,135 +776,6 @@ static bool cm_is_ipc_credentials(struct cli_credentials *creds) - return ret; - } - --static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, -- fstring dcname, -- struct sockaddr_storage *dc_ss, -- uint32_t request_flags) --{ -- struct winbindd_domain *our_domain = NULL; -- struct rpc_pipe_client *netlogon_pipe = NULL; -- NTSTATUS result; -- WERROR werr; -- TALLOC_CTX *mem_ctx; -- unsigned int orig_timeout; -- const char *tmp = NULL; -- const char *p; -- struct dcerpc_binding_handle *b; -- -- /* Hmmmm. We can only open one connection to the NETLOGON pipe at the -- * moment.... */ -- -- if (IS_DC) { -- return False; -- } -- -- if (domain->primary) { -- return False; -- } -- -- our_domain = find_our_domain(); -- -- if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) { -- return False; -- } -- -- result = cm_connect_netlogon(our_domain, &netlogon_pipe); -- if (!NT_STATUS_IS_OK(result)) { -- talloc_destroy(mem_ctx); -- return False; -- } -- -- b = netlogon_pipe->binding_handle; -- -- /* This call can take a long time - allow the server to time out. -- 35 seconds should do it. */ -- -- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); -- -- if (our_domain->active_directory) { -- struct netr_DsRGetDCNameInfo *domain_info = NULL; -- -- /* -- * TODO request flags are not respected in the server -- * (and in some cases, like REQUIRE_PDC, causes an error) -- */ -- result = dcerpc_netr_DsRGetDCName(b, -- mem_ctx, -- our_domain->dcname, -- domain->name, -- NULL, -- NULL, -- request_flags|DS_RETURN_DNS_NAME, -- &domain_info, -- &werr); -- if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) { -- tmp = talloc_strdup( -- mem_ctx, domain_info->dc_unc); -- if (tmp == NULL) { -- DEBUG(0, ("talloc_strdup failed\n")); -- talloc_destroy(mem_ctx); -- return false; -- } -- if (domain->alt_name == NULL) { -- domain->alt_name = talloc_strdup(domain, -- domain_info->domain_name); -- if (domain->alt_name == NULL) { -- DEBUG(0, ("talloc_strdup failed\n")); -- talloc_destroy(mem_ctx); -- return false; -- } -- } -- if (domain->forest_name == NULL) { -- domain->forest_name = talloc_strdup(domain, -- domain_info->forest_name); -- if (domain->forest_name == NULL) { -- DEBUG(0, ("talloc_strdup failed\n")); -- talloc_destroy(mem_ctx); -- return false; -- } -- } -- } -- } else { -- result = dcerpc_netr_GetAnyDCName(b, mem_ctx, -- our_domain->dcname, -- domain->name, -- &tmp, -- &werr); -- } -- -- /* And restore our original timeout. */ -- rpccli_set_timeout(netlogon_pipe, orig_timeout); -- -- if (!NT_STATUS_IS_OK(result)) { -- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", -- nt_errstr(result))); -- talloc_destroy(mem_ctx); -- return false; -- } -- -- if (!W_ERROR_IS_OK(werr)) { -- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", -- win_errstr(werr))); -- talloc_destroy(mem_ctx); -- return false; -- } -- -- /* dcerpc_netr_GetAnyDCName gives us a name with \\ */ -- p = strip_hostname(tmp); -- -- fstrcpy(dcname, p); -- -- talloc_destroy(mem_ctx); -- -- DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname)); -- -- if (!resolve_name(dcname, dc_ss, 0x20, true)) { -- return False; -- } -- -- return True; --} -- - /** - * Helper function to assemble trust password and account name - */ -@@ -1530,27 +1401,11 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, - { - fstring dcname; - struct sockaddr_storage ss; -- struct ip_service *ip_list = NULL; -- int iplist_size = 0; -- int i; -- bool is_our_domain; -+ struct samba_sockaddr *sa_list = NULL; -+ size_t salist_size = 0; -+ size_t i; - enum security_types sec = (enum security_types)lp_security(); - -- is_our_domain = strequal(domain->name, lp_workgroup()); -- -- /* If not our domain, get the preferred DC, by asking our primary DC */ -- if ( !is_our_domain -- && get_dc_name_via_netlogon(domain, dcname, &ss, request_flags) -- && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, -- num_dcs) ) -- { -- char addr[INET6_ADDRSTRLEN]; -- print_sockaddr(addr, sizeof(addr), &ss); -- DEBUG(10, ("Retrieved DC %s at %s via netlogon\n", -- dcname, addr)); -- return True; -- } -- - if ((sec == SEC_ADS) && (domain->alt_name != NULL)) { - char *sitename = NULL; - -diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c -index 13345caa41b..fccc1f0aff5 100644 ---- a/source3/winbindd/winbindd_dual_srv.c -+++ b/source3/winbindd/winbindd_dual_srv.c -@@ -552,106 +552,11 @@ NTSTATUS _wbint_QueryUserRidList(struct pipes_struct *p, - - NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r) - { -- struct winbindd_domain *domain = wb_child_domain(); -- struct rpc_pipe_client *netlogon_pipe; -- struct netr_DsRGetDCNameInfo *dc_info; -- NTSTATUS status; -- WERROR werr; -- unsigned int orig_timeout; -- struct dcerpc_binding_handle *b; -- bool retry = false; -- bool try_dsrgetdcname = false; -- -- if (domain == NULL) { -- return dsgetdcname(p->mem_ctx, global_messaging_context(), -- r->in.domain_name, r->in.domain_guid, -- r->in.site_name ? r->in.site_name : "", -- r->in.flags, -- r->out.dc_info); -- } -- -- if (domain->active_directory) { -- try_dsrgetdcname = true; -- } -- --reconnect: -- status = cm_connect_netlogon(domain, &netlogon_pipe); -- -- reset_cm_connection_on_error(domain, NULL, status); -- if (!NT_STATUS_IS_OK(status)) { -- DEBUG(10, ("Can't contact the NETLOGON pipe\n")); -- return status; -- } -- -- b = netlogon_pipe->binding_handle; -- -- /* This call can take a long time - allow the server to time out. -- 35 seconds should do it. */ -- -- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); -- -- if (try_dsrgetdcname) { -- status = dcerpc_netr_DsRGetDCName(b, -- p->mem_ctx, domain->dcname, -- r->in.domain_name, NULL, r->in.domain_guid, -- r->in.flags, r->out.dc_info, &werr); -- if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) { -- goto done; -- } -- if (!retry && -- reset_cm_connection_on_error(domain, NULL, status)) -- { -- retry = true; -- goto reconnect; -- } -- try_dsrgetdcname = false; -- retry = false; -- } -- -- /* -- * Fallback to less capable methods -- */ -- -- dc_info = talloc_zero(r->out.dc_info, struct netr_DsRGetDCNameInfo); -- if (dc_info == NULL) { -- status = NT_STATUS_NO_MEMORY; -- goto done; -- } -- -- if (r->in.flags & DS_PDC_REQUIRED) { -- status = dcerpc_netr_GetDcName(b, -- p->mem_ctx, domain->dcname, -- r->in.domain_name, &dc_info->dc_unc, &werr); -- } else { -- status = dcerpc_netr_GetAnyDCName(b, -- p->mem_ctx, domain->dcname, -- r->in.domain_name, &dc_info->dc_unc, &werr); -- } -- -- if (!retry && reset_cm_connection_on_error(domain, b, status)) { -- retry = true; -- goto reconnect; -- } -- if (!NT_STATUS_IS_OK(status)) { -- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", -- nt_errstr(status))); -- goto done; -- } -- if (!W_ERROR_IS_OK(werr)) { -- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", -- win_errstr(werr))); -- status = werror_to_ntstatus(werr); -- goto done; -- } -- -- *r->out.dc_info = dc_info; -- status = NT_STATUS_OK; -- --done: -- /* And restore our original timeout. */ -- rpccli_set_timeout(netlogon_pipe, orig_timeout); -- -- return status; -+ return dsgetdcname(p->mem_ctx, global_messaging_context(), -+ r->in.domain_name, r->in.domain_guid, -+ r->in.site_name ? r->in.site_name : "", -+ r->in.flags, -+ r->out.dc_info); - } - - NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r)