s3:winbind: Do not fallback to NCACN_NP Netlogon/LSA connections for AD domains

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15987

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon May 11 21:24:02 UTC 2026 on atb-devel-224

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 28c7eb4696f624d956e86a0e872df769ec8370aa..3007361fe8fd752b4982e82135087a82fcf1124b 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3234,6 +3234,24 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
                        return status;
                }
 
+               if (domain->secure_channel_type != SEC_CHAN_NULL) {
+                       /*
+                        * We tried to connect via ncan_ip_tcp and schannel and
+                        * failed - this is either a trusted domain we can't
+                        * connect to or a firewall blocking access.
+                        *
+                        * This also prevents LSA over TCP
+                        */
+                       DBG_ERR("Unable to connect to DC %s of domain %s over "
+                               "TCP/IP: %s.\nPlease check your firewall if it "
+                               "allows connections to port 135 and port "
+                               "range 49152-65535 over TCP/IP!\n",
+                               domain->dcname,
+                               domain->name,
+                               nt_errstr(status));
+                       return status;
+               }
+
                /*
                 * we tried twice to connect via ncan_ip_tcp and schannel and
                 * failed - maybe it is a trusted domain we can't connect to ?
@@ -3400,6 +3418,24 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
                        return status;
                }
 
+               if (domain->secure_channel_type != SEC_CHAN_NULL) {
+                       /*
+                        * We tried to connect via ncan_ip_tcp and schannel and
+                        * failed - this is either a trusted domain we can't
+                        * connect to or a firewall blocking access.
+                        *
+                        * This also prevents LSA over TCP
+                        */
+                       DBG_ERR("Unable to connect to DC %s of domain %s over "
+                               "TCP/IP: %s.\nPlease check your firewall if it "
+                               "allows connections to port 135 and port "
+                               "range 49152-65535 over TCP/IP!\n",
+                               domain->dcname,
+                               domain->name,
+                               nt_errstr(status));
+                       return status;
+               }
+
                /*
                 * we tried twice to connect via ncan_ip_tcp and schannel and
                 * failed - maybe it is a trusted domain we can't connect to ?