The branch, master has been updated
via a4dff82e453 s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in
gensec
via 1dbafcc4e4f s3:netlogon: IPA DC is the PDC as well - allow
ROLE_IPA_DC in _netr_DsRGetForestTrustInformation()
via d88268102ad docs-xml: Make smb.conf 'server role' value consistent
with ROLE_IPA_DC in libparam
via 4921c3304e5 s3:winbindd: Resolve dc name using CLDAP also for
ROLE_IPA_DC
from 43b3ee91b29 s3:tests: Use bash and disable history expansion for
test_wbinfo_lookuprids_cache.sh
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a4dff82e45308db3ccabac2a55c03d52f04d7b4d
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Aug 4 23:28:24 2025 +0200
s3:utils: Allow ROLE_IPA_DC to allow to use Kerberos in gensec
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Tue Aug 5 14:51:51 UTC 2025 on atb-devel-224
commit 1dbafcc4e4ff8f39af5ca737b30e9821413dd1f2
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Aug 4 23:26:02 2025 +0200
s3:netlogon: IPA DC is the PDC as well - allow ROLE_IPA_DC in
_netr_DsRGetForestTrustInformation()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit d88268102ade07fab345e04109818d97d8843a14
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Mon Aug 4 08:35:29 2025 +0200
docs-xml: Make smb.conf 'server role' value consistent with ROLE_IPA_DC in
libparam
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 4921c3304e5e0480e5bb80a757b3f04b3b92c3b1
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Wed Jul 23 15:09:21 2025 +0200
s3:winbindd: Resolve dc name using CLDAP also for ROLE_IPA_DC
server role ROLE_IPA_DC (introduced in e2d5b4d) needs special handling
in dcip_check_name(). We should resolve the DC name using:
- CLDAP in dcip_check_name_ads()
instead of:
- NETBIOS in nbt_getdc() that fails if Windows is not providing netbios.
The impacted environment has:
domain->alt_name = example.com
domain->active_directory = 1
security = USER
server role = ROLE_IPA_DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Signed-off-by: Andreas Schneider <a...@samba.org>
Pair-programmed-with: Andreas Schneider <a...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/serverrole.xml | 2 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 5 ++++-
source3/utils/ntlm_auth.c | 6 +++++-
source3/winbindd/winbindd_cm.c | 4 +++-
4 files changed, 13 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/serverrole.xml
b/docs-xml/smbdotconf/security/serverrole.xml
index 4ea4e4751ee..40244e125ce 100644
--- a/docs-xml/smbdotconf/security/serverrole.xml
+++ b/docs-xml/smbdotconf/security/serverrole.xml
@@ -78,7 +78,7 @@
url="http://wiki.samba.org/index.php/Samba4/HOWTO";>Samba4
HOWTO</ulink></para>
- <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA DOMAIN
CONTROLLER</emphasis></para>
+ <para><anchor id="IPA-DC"/><emphasis>SERVER ROLE = IPA PRIMARY DOMAIN
CONTROLLER</emphasis></para>
<para>This mode of operation runs Samba in a hybrid mode for IPA
domain controller, providing forest trust to Active Directory.
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c
b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 39bf2b30841..eb60aa7c7d7 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -2907,7 +2907,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct
pipes_struct *p,
return WERR_INVALID_FLAGS;
}
- if ((r->in.flags & DS_GFTI_UPDATE_TDO) && (lp_server_role() !=
ROLE_DOMAIN_PDC)) {
+ if ((r->in.flags & DS_GFTI_UPDATE_TDO) &&
+ (lp_server_role() != ROLE_DOMAIN_PDC) &&
+ (lp_server_role() != ROLE_IPA_DC))
+ {
p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
return WERR_NERR_NOTPRIMARY;
}
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index e839076f8d5..d5ae7c85b22 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1355,7 +1355,11 @@ static NTSTATUS
ntlm_auth_prepare_gensec_server(TALLOC_CTX *mem_ctx,
cli_credentials_set_conf(server_credentials, lp_ctx);
- if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_security() ==
SEC_ADS || USE_KERBEROS_KEYTAB) {
+ if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC ||
+ lp_server_role() == ROLE_IPA_DC ||
+ lp_security() == SEC_ADS ||
+ USE_KERBEROS_KEYTAB)
+ {
cli_credentials_set_kerberos_state(server_credentials,
CRED_USE_KERBEROS_DESIRED,
CRED_SPECIFIED);
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index c5ea918cff7..f45bb6cda99 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1088,7 +1088,9 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx,
if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) {
is_ad_domain = true;
- } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+ } else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC ||
+ lp_server_role() == ROLE_IPA_DC)
+ {
is_ad_domain = domain->active_directory;
}
--
Samba Shared Repository
