]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
projects / thirdparty / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 34c4ab4)
s3:winbindd: let wb_irpc_SamLogon reject the local domain as RWDC master
authorStefan Metzmacher <metze@samba.org>
Mon, 27 Apr 2026 16:13:36 +0000 (18:13 +0200)
committerVolker Lendecke <vl@samba.org>
Tue, 28 Apr 2026 11:49:16 +0000 (11:49 +0000)
If the clients use a subdomain of our domain the
'sam' auth backend passed the request along to
the 'winbind' auth backend. If winbindd tries
to use the local domain we hit the case that
an unknown domain was used. So we need to
bounce the request back to 'sam_ignoredomain'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15973

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Apr 28 11:49:16 UTC 2026 on atb-devel-224

source3/winbindd/winbindd_irpc.c patch | blob | blame | history

diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c
index 5981eb2d244582245af2e74c1936272df0cbbb16..7f36d7795fa068d47682c1c48ed95e90c031aa47 100644 (file)
--- a/source3/winbindd/winbindd_irpc.c
+++ b/source3/winbindd/winbindd_irpc.c
@@ -252,6 +252,30 @@ static NTSTATUS wb_irpc_SamLogon(struct irpc_message *msg,
                return NT_STATUS_OK;
        }
 
+       if (IS_DC && domain->primary && !domain->rodc) {
+               /*
+                * target_domain_name might
+                * be a subdomain of domain->alt_name,
+                * that's why the 'sam' backend passed it along
+                * to 'winbind' auth backend, but we need to bounce
+                * it back to the 'sam_ignoredomain' backend.
+                */
+               DBG_NOTICE("target_domain[%s] routed to primary domain[%s][%s]\n",
+                          target_domain_name, domain->name, domain->alt_name);
+               req->out.result = NT_STATUS_NO_SUCH_DOMAIN;
+               req->out.authoritative = 0;
+               return NT_STATUS_OK;
+       }
+
+       if (IS_DC && domain->internal && !domain->rodc) {
+               /*
+                * Something strange happened
+                */
+               DBG_ERR("target_domain[%s] routed to internal domain[%s\n",
+                       target_domain_name, domain->name);
+               return NT_STATUS_REQUEST_NOT_ACCEPTED;
+       }
+
        DEBUG(5, ("wb_irpc_SamLogon called\n"));
 
        return wb_irpc_forward_rpc_call(msg, msg,
Mirror of https://github.com/samba-team/samba.git