From: Stefan Metzmacher Date: Mon, 27 Apr 2026 16:13:36 +0000 (+0200) Subject: s3:winbindd: let wb_irpc_SamLogon reject the local domain as RWDC X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b4e612725f9fe11f1791bd170cef8b0dade45ba6;p=thirdparty%2Fsamba.git s3:winbindd: let wb_irpc_SamLogon reject the local domain as RWDC If the clients use a subdomain of our domain the 'sam' auth backend passed the request along to the 'winbind' auth backend. If winbindd tries to use the local domain we hit the case that an unknown domain was used. So we need to bounce the request back to 'sam_ignoredomain'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15973 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Tue Apr 28 11:49:16 UTC 2026 on atb-devel-224 --- diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c index 5981eb2d244..7f36d7795fa 100644 --- a/source3/winbindd/winbindd_irpc.c +++ b/source3/winbindd/winbindd_irpc.c @@ -252,6 +252,30 @@ static NTSTATUS wb_irpc_SamLogon(struct irpc_message *msg, return NT_STATUS_OK; } + if (IS_DC && domain->primary && !domain->rodc) { + /* + * target_domain_name might + * be a subdomain of domain->alt_name, + * that's why the 'sam' backend passed it along + * to 'winbind' auth backend, but we need to bounce + * it back to the 'sam_ignoredomain' backend. + */ + DBG_NOTICE("target_domain[%s] routed to primary domain[%s][%s]\n", + target_domain_name, domain->name, domain->alt_name); + req->out.result = NT_STATUS_NO_SUCH_DOMAIN; + req->out.authoritative = 0; + return NT_STATUS_OK; + } + + if (IS_DC && domain->internal && !domain->rodc) { + /* + * Something strange happened + */ + DBG_ERR("target_domain[%s] routed to internal domain[%s\n", + target_domain_name, domain->name); + return NT_STATUS_REQUEST_NOT_ACCEPTED; + } + DEBUG(5, ("wb_irpc_SamLogon called\n")); return wb_irpc_forward_rpc_call(msg, msg,