From: Andreas Schneider <asn@samba.org>
Date: Wed, 4 Feb 2026 14:10:02 +0000 (+0100)
Subject: s3:winbind: Do not fallback to NCACN_NP Netlogon/LSA connections for AD domains
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33628fd9da56afc0fa1a480b7df2f73e4e0d3664;p=thirdparty%2Fsamba.git

s3:winbind: Do not fallback to NCACN_NP Netlogon/LSA connections for AD domains

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15987

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon May 11 21:24:02 UTC 2026 on atb-devel-224
---

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 28c7eb4696f..3007361fe8f 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -3234,6 +3234,24 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
 			return status;
 		}
 
+		if (domain->secure_channel_type != SEC_CHAN_NULL) {
+			/*
+			 * We tried to connect via ncan_ip_tcp and schannel and
+			 * failed - this is either a trusted domain we can't
+			 * connect to or a firewall blocking access.
+			 *
+			 * This also prevents LSA over TCP
+			 */
+			DBG_ERR("Unable to connect to DC %s of domain %s over "
+				"TCP/IP: %s.\nPlease check your firewall if it "
+				"allows connections to port 135 and port "
+				"range 49152-65535 over TCP/IP!\n",
+				domain->dcname,
+				domain->name,
+				nt_errstr(status));
+			return status;
+		}
+
 		/*
 		 * we tried twice to connect via ncan_ip_tcp and schannel and
 		 * failed - maybe it is a trusted domain we can't connect to ?
@@ -3400,6 +3418,24 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 			return status;
 		}
 
+		if (domain->secure_channel_type != SEC_CHAN_NULL) {
+			/*
+			 * We tried to connect via ncan_ip_tcp and schannel and
+			 * failed - this is either a trusted domain we can't
+			 * connect to or a firewall blocking access.
+			 *
+			 * This also prevents LSA over TCP
+			 */
+			DBG_ERR("Unable to connect to DC %s of domain %s over "
+				"TCP/IP: %s.\nPlease check your firewall if it "
+				"allows connections to port 135 and port "
+				"range 49152-65535 over TCP/IP!\n",
+				domain->dcname,
+				domain->name,
+				nt_errstr(status));
+			return status;
+		}
+
 		/*
 		 * we tried twice to connect via ncan_ip_tcp and schannel and
 		 * failed - maybe it is a trusted domain we can't connect to ?