From: Pavel Filipenský <pfilipensky@samba.org>
Date: Wed, 23 Jul 2025 13:09:21 +0000 (+0200)
Subject: s3:winbindd: Resolve dc name using CLDAP also for ROLE_IPA_DC
X-Git-Tag: samba-4.22.4~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fe8eafc289dfbb6f2b6c706f2a8a68186807d4f8;p=thirdparty%2Fsamba.git

s3:winbindd: Resolve dc name using CLDAP also for ROLE_IPA_DC

server role ROLE_IPA_DC (introduced in e2d5b4d) needs special handling
in dcip_check_name().  We should resolve the DC name using:
- CLDAP in dcip_check_name_ads()
instead of:
- NETBIOS in nbt_getdc() that fails if Windows is not providing netbios.

The impacted environment has:

domain->alt_name = example.com
domain->active_directory = 1
security = USER
server role = ROLE_IPA_DC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15891

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-programmed-with: Andreas Schneider <asn@samba.org>

Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 4921c3304e5e0480e5bb80a757b3f04b3b92c3b1)
---

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index bff3a9ce4f9..d52deccf430 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1098,7 +1098,9 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx,
 
 	if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) {
 		is_ad_domain = true;
-	} else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+	} else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC ||
+		   lp_server_role() == ROLE_IPA_DC)
+	{
 		is_ad_domain = domain->active_directory;
 	}