From b4e612725f9fe11f1791bd170cef8b0dade45ba6 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 27 Apr 2026 18:13:36 +0200 Subject: [PATCH] s3:winbindd: let wb_irpc_SamLogon reject the local domain as RWDC If the clients use a subdomain of our domain the 'sam' auth backend passed the request along to the 'winbind' auth backend. If winbindd tries to use the local domain we hit the case that an unknown domain was used. So we need to bounce the request back to 'sam_ignoredomain'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15973 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Tue Apr 28 11:49:16 UTC 2026 on atb-devel-224 --- source3/winbindd/winbindd_irpc.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c index 5981eb2d244..7f36d7795fa 100644 --- a/source3/winbindd/winbindd_irpc.c +++ b/source3/winbindd/winbindd_irpc.c @@ -252,6 +252,30 @@ static NTSTATUS wb_irpc_SamLogon(struct irpc_message *msg, return NT_STATUS_OK; } + if (IS_DC && domain->primary && !domain->rodc) { + /* + * target_domain_name might + * be a subdomain of domain->alt_name, + * that's why the 'sam' backend passed it along + * to 'winbind' auth backend, but we need to bounce + * it back to the 'sam_ignoredomain' backend. + */ + DBG_NOTICE("target_domain[%s] routed to primary domain[%s][%s]\n", + target_domain_name, domain->name, domain->alt_name); + req->out.result = NT_STATUS_NO_SUCH_DOMAIN; + req->out.authoritative = 0; + return NT_STATUS_OK; + } + + if (IS_DC && domain->internal && !domain->rodc) { + /* + * Something strange happened + */ + DBG_ERR("target_domain[%s] routed to internal domain[%s\n", + target_domain_name, domain->name); + return NT_STATUS_REQUEST_NOT_ACCEPTED; + } + DEBUG(5, ("wb_irpc_SamLogon called\n")); return wb_irpc_forward_rpc_call(msg, msg, -- 2.47.3