Version in base suite: 4.17.12+dfsg-0+deb12u1 Base version: samba_4.17.12+dfsg-0+deb12u1 Target version: samba_4.17.12+dfsg-0+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/samba/samba_4.17.12+dfsg-0+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/samba/samba_4.17.12+dfsg-0+deb12u2.dsc changelog | 25 control | 2 patches/s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch | 55 + patches/s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch | 35 + patches/s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch | 44 + patches/s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch | 182 +++++ patches/s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch | 307 ++++++++++ patches/s3-winbindd-use-better-debug-messages-than-talloc_st.patch | 54 + patches/series | 6 9 files changed, 709 insertions(+), 1 deletion(-) gpgv: Signature made Tue Oct 10 15:24:35 2023 UTC gpgv: using RSA key 7B73BAD68BE7A2C289314B22701B4F6B1A693E59 gpgv: issuer "mjt@tls.msk.ru" gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on /srv/release.debian.org/tmp/tmpzkof03zp/samba_4.17.12+dfsg-0+deb12u1.dsc diff -Nru samba-4.17.12+dfsg/debian/changelog samba-4.17.12+dfsg/debian/changelog --- samba-4.17.12+dfsg/debian/changelog 2023-10-10 15:17:19.000000000 +0000 +++ samba-4.17.12+dfsg/debian/changelog 2025-07-11 08:21:51.000000000 +0000 @@ -1,3 +1,28 @@ +samba (2:4.17.12+dfsg-0+deb12u2) bookworm; urgency=medium + + [ Salvatore Bonaccorso ] + * several patches from upstream: + - s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch: + s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL + - s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch: + s3:libsmb: allow store_cldap_reply() to work with a ipv6 response + - s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch: + s3:libsmb: let discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND + - s3-winbindd-use-better-debug-messages-than-talloc_st.patch: + s3:winbindd: use better debug messages than 'talloc_strdup failed' + - s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch: + s3:winbindd: avoid using any netlogon call to get a dc name + s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch: + s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name + (Closes: #1108904) + + [ Michael Tokarev ] + * d/control: fix versioned dependency on samba for samba-ad-dc + samba-ad-dc is arch-all package. We need samba >= ${source:Version}~ + (note the tilde at the end), not ${binary:Version} (without tilde) + + -- Michael Tokarev Fri, 11 Jul 2025 11:21:51 +0300 + samba (2:4.17.12+dfsg-0+deb12u1) bookworm-security; urgency=medium * new stable security bugfix release: diff -Nru samba-4.17.12+dfsg/debian/control samba-4.17.12+dfsg/debian/control --- samba-4.17.12+dfsg/debian/control 2023-10-10 15:15:43.000000000 +0000 +++ samba-4.17.12+dfsg/debian/control 2025-07-10 13:02:07.000000000 +0000 @@ -190,7 +190,7 @@ Architecture: all Multi-Arch: foreign Pre-Depends: ${misc:Pre-Depends} -Depends: samba (>= ${binary:Version}), samba-dsdb-modules, samba-vfs-modules, +Depends: samba (>= ${source:Version}~), samba-dsdb-modules, samba-vfs-modules, winbind, krb5-kdc (>> 1.19.0) , ${misc:Depends} diff -Nru samba-4.17.12+dfsg/debian/patches/s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch samba-4.17.12+dfsg/debian/patches/s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch --- samba-4.17.12+dfsg/debian/patches/s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.17.12+dfsg/debian/patches/s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch 2025-07-10 13:02:07.000000000 +0000 @@ -0,0 +1,55 @@ +From: Stefan Metzmacher +Date: Tue, 7 May 2024 14:53:24 +0000 +Subject: s3:libsmb: allow store_cldap_reply() to work with a ipv6 response +Forwarded: not-needed +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett + +Autobuild-User(master): Andrew Bartlett +Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224 +--- + source3/libsmb/dsgetdcname.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c +index 0fcf23a280ee..654893c172c6 100644 +--- a/source3/libsmb/dsgetdcname.c ++++ b/source3/libsmb/dsgetdcname.c +@@ -196,7 +196,29 @@ static NTSTATUS store_cldap_reply(TALLOC_CTX *mem_ctx, + /* FIXME */ + r->sockaddr_size = 0x10; /* the w32 winsock addr size */ + r->sockaddr.sockaddr_family = 2; /* AF_INET */ +- r->sockaddr.pdc_ip = talloc_strdup(mem_ctx, addr); ++ if (is_ipaddress_v4(addr)) { ++ r->sockaddr.pdc_ip = talloc_strdup(mem_ctx, addr); ++ if (r->sockaddr.pdc_ip == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ } else { ++ /* ++ * ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX will ++ * fail with an ipv6 address. ++ * ++ * This matches windows behaviour in the CLDAP ++ * response when NETLOGON_NT_VERSION_5EX_WITH_IP ++ * is used. ++ * ++ * Windows returns the ipv4 address of the ipv6 ++ * server interface and falls back to 127.0.0.1 ++ * if there's no ipv4 address. ++ */ ++ r->sockaddr.pdc_ip = talloc_strdup(mem_ctx, "127.0.0.1"); ++ if (r->sockaddr.pdc_ip == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ } + + ndr_err = ndr_push_struct_blob(&blob, mem_ctx, r, + (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX); +-- +2.50.0 + diff -Nru samba-4.17.12+dfsg/debian/patches/s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch samba-4.17.12+dfsg/debian/patches/s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch --- samba-4.17.12+dfsg/debian/patches/s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.17.12+dfsg/debian/patches/s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch 2025-07-10 13:02:07.000000000 +0000 @@ -0,0 +1,35 @@ +From: Stefan Metzmacher +Date: Thu, 15 Feb 2024 17:29:46 +0100 +Subject: s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL +Forwarded: not-needed +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/2b66663c75cdb3bc1b6bc5b1736dd9d35b094b42 + +In 2024 we always want an active directory response... + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +--- + source3/libsmb/dsgetdcname.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c +index 09a6e6648b42..0fcf23a280ee 100644 +--- a/source3/libsmb/dsgetdcname.c ++++ b/source3/libsmb/dsgetdcname.c +@@ -930,6 +930,11 @@ static NTSTATUS process_dc_netbios(TALLOC_CTX *mem_ctx, + name_type = NBT_NAME_PDC; + } + ++ /* ++ * It's 2024 we always want an AD style response! ++ */ ++ nt_version |= NETLOGON_NT_VERSION_AVOID_NT4EMUL; ++ + nt_version |= map_ds_flags_to_nt_version(flags); + + snprintf(my_acct_name, +-- +2.50.0 + diff -Nru samba-4.17.12+dfsg/debian/patches/s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch samba-4.17.12+dfsg/debian/patches/s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch --- samba-4.17.12+dfsg/debian/patches/s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.17.12+dfsg/debian/patches/s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch 2025-07-10 13:02:07.000000000 +0000 @@ -0,0 +1,44 @@ +From: Stefan Metzmacher +Date: Fri, 11 Oct 2024 13:32:22 +0000 +Subject: s3:libsmb: let discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND +Forwarded: not-needed +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/e47ce1d10b13d8ef165c70984e6e490f4c2a64c2 + +We may get NT_STATUS_NOT_FOUND when the name can't be resolved +and NT_STATUS_INVALID_ADDRESS if the system doesn't have ipv4 +addresses... + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +--- + source3/libsmb/dsgetdcname.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c +index 9053ee5c8b05..6bbe4e0b4ad1 100644 +--- a/source3/libsmb/dsgetdcname.c ++++ b/source3/libsmb/dsgetdcname.c +@@ -435,7 +435,19 @@ static NTSTATUS discover_dc_netbios(TALLOC_CTX *mem_ctx, + &count, + resolve_order); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10,("discover_dc_netbios: failed to find DC\n")); ++ NTSTATUS raw_status = status; ++ ++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) { ++ status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; ++ } ++ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ADDRESS)) { ++ status = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND; ++ } ++ ++ DBG_DEBUG("failed to find DC for %s: %s => %s\n", ++ domain_name, ++ nt_errstr(raw_status), ++ nt_errstr(status)); + return status; + } + +-- +2.50.0 + diff -Nru samba-4.17.12+dfsg/debian/patches/s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch samba-4.17.12+dfsg/debian/patches/s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch --- samba-4.17.12+dfsg/debian/patches/s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.17.12+dfsg/debian/patches/s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch 2025-07-10 13:02:07.000000000 +0000 @@ -0,0 +1,182 @@ +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 2 Jul 2025 21:59:48 +0200 +Subject: s3-winbindd: Fix internal winbind dsgetdcname calls w.r.t. domain name +Forwarded: not-needed +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/2560c9b3224816ffd371a62103f65b3aca301ad5 +Bug-Debian: https://bugs.debian.org/1108904 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +when winbind calls to dsgetdcname internally, make sure to +prefer the DNS domain name if we have it. Makes DNS lookups much more +likely to succeed. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Ralph Böhme +Autobuild-Date(master): Mon Jul 7 10:44:37 UTC 2025 on atb-devel-224 +--- + source3/winbindd/wb_queryuser.c | 17 +++++++++++++---- + source3/winbindd/wb_sids2xids.c | 17 +++++++++++++---- + source3/winbindd/wb_xids2sids.c | 12 +++++++++--- + source3/winbindd/winbindd_dual.c | 6 +++++- + source3/winbindd/winbindd_proto.h | 1 + + source3/winbindd/winbindd_util.c | 19 +++++++++++++++++++ + 6 files changed, 60 insertions(+), 12 deletions(-) + +diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c +index c2758f1b76ac..db8e946ba717 100644 +--- a/source3/winbindd/wb_queryuser.c ++++ b/source3/winbindd/wb_queryuser.c +@@ -289,10 +289,19 @@ static void wb_queryuser_done(struct tevent_req *subreq) + + if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && + !state->tried_dclookup) { +- D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling wb_dsgetdcname_send()\n"); +- subreq = wb_dsgetdcname_send( +- state, state->ev, state->info->domain_name, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ const char *domain_name = find_dns_domain_name( ++ state->info->domain_name); ++ ++ D_DEBUG("GetNssInfo got DOMAIN_CONTROLLER_NOT_FOUND, calling " ++ "wb_dsgetdcname_send(%s)\n", ++ domain_name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c +index f0f6c23fc20b..03e5e7e02581 100644 +--- a/source3/winbindd/wb_sids2xids.c ++++ b/source3/winbindd/wb_sids2xids.c +@@ -612,13 +612,22 @@ static void wb_sids2xids_done(struct tevent_req *subreq) + !state->tried_dclookup) { + + struct lsa_DomainInfo *d; ++ const char *domain_name = NULL; + +- D_DEBUG("Domain controller not found. Calling wb_dsgetdcname_send() to get it.\n"); + d = &state->idmap_doms.domains[state->dom_index]; + +- subreq = wb_dsgetdcname_send( +- state, state->ev, d->name.string, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ domain_name = find_dns_domain_name(d->name.string); ++ ++ D_DEBUG("Domain controller not found. Calling " ++ "wb_dsgetdcname_send(%s) to get it.\n", ++ domain_name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c +index 86bd7f9deab6..6fcf524d94fd 100644 +--- a/source3/winbindd/wb_xids2sids.c ++++ b/source3/winbindd/wb_xids2sids.c +@@ -143,9 +143,15 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq) + if (NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) && + !state->tried_dclookup) { + +- subreq = wb_dsgetdcname_send( +- state, state->ev, state->dom_map->name, NULL, NULL, +- DS_RETURN_DNS_NAME); ++ const char *domain_name = find_dns_domain_name( ++ state->dom_map->name); ++ ++ subreq = wb_dsgetdcname_send(state, ++ state->ev, ++ domain_name, ++ NULL, ++ NULL, ++ DS_RETURN_DNS_NAME); + if (tevent_req_nomem(subreq, req)) { + return; + } +diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c +index 57e768844165..ccea44acf185 100644 +--- a/source3/winbindd/winbindd_dual.c ++++ b/source3/winbindd/winbindd_dual.c +@@ -548,6 +548,7 @@ static void wb_domain_request_trigger(struct tevent_req *req, + struct wb_domain_request_state *state = tevent_req_data( + req, struct wb_domain_request_state); + struct winbindd_domain *domain = state->domain; ++ const char *domain_name = NULL; + struct tevent_req *subreq = NULL; + size_t shortest_queue_length; + +@@ -623,8 +624,11 @@ static void wb_domain_request_trigger(struct tevent_req *req, + * which is indicated by DS_RETURN_DNS_NAME. + * For NT4 domains we still get the netbios name. + */ ++ ++ domain_name = find_dns_domain_name(state->domain->name); ++ + subreq = wb_dsgetdcname_send(state, state->ev, +- state->domain->name, ++ domain_name, + NULL, /* domain_guid */ + NULL, /* site_name */ + DS_RETURN_DNS_NAME); /* flags */ +diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h +index 6d11a41d8156..3734ab490864 100644 +--- a/source3/winbindd/winbindd_proto.h ++++ b/source3/winbindd/winbindd_proto.h +@@ -608,6 +608,7 @@ bool parse_sidlist(TALLOC_CTX *mem_ctx, const char *sidstr, + struct dom_sid **sids, uint32_t *num_sids); + bool parse_xidlist(TALLOC_CTX *mem_ctx, const char *xidstr, + struct unixid **pxids, uint32_t *pnum_xids); ++const char *find_dns_domain_name(const char *domain_name); + + /* The following definitions come from winbindd/winbindd_wins.c */ + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index 054661776003..954d01928b2d 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -2673,3 +2673,22 @@ fail: + TALLOC_FREE(xids); + return false; + } ++ ++/** ++ * Helper to extract the DNS Domain Name from a struct winbindd_domain ++ */ ++const char *find_dns_domain_name(const char *domain_name) ++{ ++ struct winbindd_domain *wbdom = NULL; ++ ++ wbdom = find_domain_from_name(domain_name); ++ if (wbdom == NULL) { ++ return domain_name; ++ } ++ ++ if (wbdom->active_directory && wbdom->alt_name != NULL) { ++ return wbdom->alt_name; ++ } ++ ++ return wbdom->name; ++} +-- +2.50.0 + diff -Nru samba-4.17.12+dfsg/debian/patches/s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch samba-4.17.12+dfsg/debian/patches/s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch --- samba-4.17.12+dfsg/debian/patches/s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.17.12+dfsg/debian/patches/s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch 2025-07-10 13:02:07.000000000 +0000 @@ -0,0 +1,307 @@ +From: Stefan Metzmacher +Date: Fri, 9 May 2025 09:38:41 +0200 +Subject: s3:winbindd: avoid using any netlogon call to get a dc name +Forwarded: not-needed +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/f86a4bf6848ade2db7229d182576db3320c3ece7 +Bug-Debian: https://bugs.debian.org/1108904 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15876 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Guenther Deschner +Reviewed-by: Andreas Schneider +Reviewed-by: Ralph Boehme +--- + source3/winbindd/winbindd_cm.c | 150 --------------------------- + source3/winbindd/winbindd_dual_srv.c | 105 +------------------ + 2 files changed, 5 insertions(+), 250 deletions(-) + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index cc0b47b0600c..15a2f60c5321 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -477,140 +477,6 @@ static bool cm_is_ipc_credentials(struct cli_credentials *creds) + return ret; + } + +-static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, +- fstring dcname, +- struct sockaddr_storage *dc_ss, +- uint32_t request_flags) +-{ +- struct winbindd_domain *our_domain = NULL; +- struct rpc_pipe_client *netlogon_pipe = NULL; +- NTSTATUS result; +- WERROR werr; +- TALLOC_CTX *mem_ctx; +- unsigned int orig_timeout; +- const char *tmp = NULL; +- const char *p; +- struct dcerpc_binding_handle *b; +- +- /* Hmmmm. We can only open one connection to the NETLOGON pipe at the +- * moment.... */ +- +- if (IS_DC) { +- return False; +- } +- +- if (domain->primary) { +- return False; +- } +- +- our_domain = find_our_domain(); +- +- if ((mem_ctx = talloc_init("get_dc_name_via_netlogon")) == NULL) { +- return False; +- } +- +- result = cm_connect_netlogon(our_domain, &netlogon_pipe); +- if (!NT_STATUS_IS_OK(result)) { +- talloc_destroy(mem_ctx); +- return False; +- } +- +- b = netlogon_pipe->binding_handle; +- +- /* This call can take a long time - allow the server to time out. +- 35 seconds should do it. */ +- +- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); +- +- if (our_domain->active_directory) { +- struct netr_DsRGetDCNameInfo *domain_info = NULL; +- +- /* +- * TODO request flags are not respected in the server +- * (and in some cases, like REQUIRE_PDC, causes an error) +- */ +- result = dcerpc_netr_DsRGetDCName(b, +- mem_ctx, +- our_domain->dcname, +- domain->name, +- NULL, +- NULL, +- request_flags|DS_RETURN_DNS_NAME, +- &domain_info, +- &werr); +- if (NT_STATUS_IS_OK(result) && W_ERROR_IS_OK(werr)) { +- tmp = talloc_strdup( +- mem_ctx, domain_info->dc_unc); +- if (tmp == NULL) { +- DBG_ERR("talloc_strdup failed for dc_unc[%s]\n", +- domain_info->dc_unc); +- talloc_destroy(mem_ctx); +- return false; +- } +- if (domain->alt_name == NULL) { +- domain->alt_name = talloc_strdup(domain, +- domain_info->domain_name); +- if (domain->alt_name == NULL) { +- DBG_ERR("talloc_strdup failed for " +- "domain_info->domain_name[%s]\n", +- domain_info->domain_name); +- talloc_destroy(mem_ctx); +- return false; +- } +- } +- if (domain->forest_name == NULL) { +- domain->forest_name = talloc_strdup(domain, +- domain_info->forest_name); +- if (domain->forest_name == NULL) { +- DBG_ERR("talloc_strdup failed for " +- "domain_info->forest_name[%s]\n", +- domain_info->forest_name); +- talloc_destroy(mem_ctx); +- return false; +- } +- } +- } +- } else { +- result = dcerpc_netr_GetAnyDCName(b, mem_ctx, +- our_domain->dcname, +- domain->name, +- &tmp, +- &werr); +- } +- +- /* And restore our original timeout. */ +- rpccli_set_timeout(netlogon_pipe, orig_timeout); +- +- if (!NT_STATUS_IS_OK(result)) { +- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", +- nt_errstr(result))); +- talloc_destroy(mem_ctx); +- return false; +- } +- +- if (!W_ERROR_IS_OK(werr)) { +- DEBUG(10,("dcerpc_netr_GetAnyDCName failed: %s\n", +- win_errstr(werr))); +- talloc_destroy(mem_ctx); +- return false; +- } +- +- /* dcerpc_netr_GetAnyDCName gives us a name with \\ */ +- p = strip_hostname(tmp); +- +- fstrcpy(dcname, p); +- +- talloc_destroy(mem_ctx); +- +- DEBUG(10,("dcerpc_netr_GetAnyDCName returned %s\n", dcname)); +- +- if (!resolve_name(dcname, dc_ss, 0x20, true)) { +- return False; +- } +- +- return True; +-} +- + /** + * Helper function to assemble trust password and account name + */ +@@ -1297,24 +1163,8 @@ static bool get_dcs(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, + struct samba_sockaddr *sa_list = NULL; + size_t salist_size = 0; + size_t i; +- bool is_our_domain; + enum security_types sec = (enum security_types)lp_security(); + +- is_our_domain = strequal(domain->name, lp_workgroup()); +- +- /* If not our domain, get the preferred DC, by asking our primary DC */ +- if ( !is_our_domain +- && get_dc_name_via_netlogon(domain, dcname, &ss, request_flags) +- && add_one_dc_unique(mem_ctx, domain->name, dcname, &ss, dcs, +- num_dcs) ) +- { +- char addr[INET6_ADDRSTRLEN]; +- print_sockaddr(addr, sizeof(addr), &ss); +- DEBUG(10, ("Retrieved DC %s at %s via netlogon\n", +- dcname, addr)); +- return True; +- } +- + if ((sec == SEC_ADS) && (domain->alt_name != NULL)) { + char *sitename = NULL; + +diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c +index b1809809b13e..c48ca15dd2b2 100644 +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -661,106 +661,11 @@ NTSTATUS _wbint_QueryUserRidList(struct pipes_struct *p, + + NTSTATUS _wbint_DsGetDcName(struct pipes_struct *p, struct wbint_DsGetDcName *r) + { +- struct winbindd_domain *domain = wb_child_domain(); +- struct rpc_pipe_client *netlogon_pipe; +- struct netr_DsRGetDCNameInfo *dc_info; +- NTSTATUS status; +- WERROR werr; +- unsigned int orig_timeout; +- struct dcerpc_binding_handle *b; +- bool retry = false; +- bool try_dsrgetdcname = false; +- +- if (domain == NULL) { +- return dsgetdcname(p->mem_ctx, global_messaging_context(), +- r->in.domain_name, r->in.domain_guid, +- r->in.site_name ? r->in.site_name : "", +- r->in.flags, +- r->out.dc_info); +- } +- +- if (domain->active_directory) { +- try_dsrgetdcname = true; +- } +- +-reconnect: +- status = cm_connect_netlogon(domain, &netlogon_pipe); +- +- reset_cm_connection_on_error(domain, NULL, status); +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10, ("Can't contact the NETLOGON pipe\n")); +- return status; +- } +- +- b = netlogon_pipe->binding_handle; +- +- /* This call can take a long time - allow the server to time out. +- 35 seconds should do it. */ +- +- orig_timeout = rpccli_set_timeout(netlogon_pipe, 35000); +- +- if (try_dsrgetdcname) { +- status = dcerpc_netr_DsRGetDCName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, NULL, r->in.domain_guid, +- r->in.flags, r->out.dc_info, &werr); +- if (NT_STATUS_IS_OK(status) && W_ERROR_IS_OK(werr)) { +- goto done; +- } +- if (!retry && +- reset_cm_connection_on_error(domain, NULL, status)) +- { +- retry = true; +- goto reconnect; +- } +- try_dsrgetdcname = false; +- retry = false; +- } +- +- /* +- * Fallback to less capable methods +- */ +- +- dc_info = talloc_zero(r->out.dc_info, struct netr_DsRGetDCNameInfo); +- if (dc_info == NULL) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- +- if (r->in.flags & DS_PDC_REQUIRED) { +- status = dcerpc_netr_GetDcName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, &dc_info->dc_unc, &werr); +- } else { +- status = dcerpc_netr_GetAnyDCName(b, +- p->mem_ctx, domain->dcname, +- r->in.domain_name, &dc_info->dc_unc, &werr); +- } +- +- if (!retry && reset_cm_connection_on_error(domain, b, status)) { +- retry = true; +- goto reconnect; +- } +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", +- nt_errstr(status))); +- goto done; +- } +- if (!W_ERROR_IS_OK(werr)) { +- DEBUG(10, ("dcerpc_netr_Get[Any]DCName failed: %s\n", +- win_errstr(werr))); +- status = werror_to_ntstatus(werr); +- goto done; +- } +- +- *r->out.dc_info = dc_info; +- status = NT_STATUS_OK; +- +-done: +- /* And restore our original timeout. */ +- rpccli_set_timeout(netlogon_pipe, orig_timeout); +- +- return status; ++ return dsgetdcname(p->mem_ctx, global_messaging_context(), ++ r->in.domain_name, r->in.domain_guid, ++ r->in.site_name ? r->in.site_name : "", ++ r->in.flags, ++ r->out.dc_info); + } + + NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r) +-- +2.50.0 + diff -Nru samba-4.17.12+dfsg/debian/patches/s3-winbindd-use-better-debug-messages-than-talloc_st.patch samba-4.17.12+dfsg/debian/patches/s3-winbindd-use-better-debug-messages-than-talloc_st.patch --- samba-4.17.12+dfsg/debian/patches/s3-winbindd-use-better-debug-messages-than-talloc_st.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.17.12+dfsg/debian/patches/s3-winbindd-use-better-debug-messages-than-talloc_st.patch 2025-07-10 13:02:07.000000000 +0000 @@ -0,0 +1,54 @@ +From: Stefan Metzmacher +Date: Fri, 26 Jan 2024 09:25:11 +0100 +Subject: s3:winbindd: use better debug messages than 'talloc_strdup failed' +Forwarded: not-needed +Origin: upstream, https://gitlab.com/samba-team/samba/-/commit/814ae222ca15ff7093a71639cdcc97b9937670ce + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Fri Apr 5 13:28:42 UTC 2024 on atb-devel-224 +--- + source3/winbindd/winbindd_cm.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 1685edbabaa2..aebb4561ae8b 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -540,7 +540,8 @@ static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, + tmp = talloc_strdup( + mem_ctx, domain_info->dc_unc); + if (tmp == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); ++ DBG_ERR("talloc_strdup failed for dc_unc[%s]\n", ++ domain_info->dc_unc); + talloc_destroy(mem_ctx); + return false; + } +@@ -548,7 +549,9 @@ static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, + domain->alt_name = talloc_strdup(domain, + domain_info->domain_name); + if (domain->alt_name == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); ++ DBG_ERR("talloc_strdup failed for " ++ "domain_info->domain_name[%s]\n", ++ domain_info->domain_name); + talloc_destroy(mem_ctx); + return false; + } +@@ -557,7 +560,9 @@ static bool get_dc_name_via_netlogon(struct winbindd_domain *domain, + domain->forest_name = talloc_strdup(domain, + domain_info->forest_name); + if (domain->forest_name == NULL) { +- DEBUG(0, ("talloc_strdup failed\n")); ++ DBG_ERR("talloc_strdup failed for " ++ "domain_info->forest_name[%s]\n", ++ domain_info->forest_name); + talloc_destroy(mem_ctx); + return false; + } +-- +2.50.0 + diff -Nru samba-4.17.12+dfsg/debian/patches/series samba-4.17.12+dfsg/debian/patches/series --- samba-4.17.12+dfsg/debian/patches/series 2023-10-10 15:15:43.000000000 +0000 +++ samba-4.17.12+dfsg/debian/patches/series 2025-07-10 13:02:07.000000000 +0000 @@ -24,3 +24,9 @@ meaningful-error-if-no-python3-markdown.patch ctdb-use-run-instead-of-var-run.patch heimdal-to-support-KEYRING-ccache.patch +s3-libsmb-dsgetdcname-use-NETLOGON_NT_VERSION_AVOID_.patch +s3-libsmb-allow-store_cldap_reply-to-work-with-a-ipv.patch +s3-libsmb-let-discover_dc_netbios-return-DOMAIN_CONT.patch +s3-winbindd-use-better-debug-messages-than-talloc_st.patch +s3-winbindd-avoid-using-any-netlogon-call-to-get-a-d.patch +s3-winbindd-Fix-internal-winbind-dsgetdcname-calls-w.patch