samba.git/source3/libads, branch master Unnamed repository; edit this file 'description' to name the repository. s3:libads: Allow to specify 'dns_lookup_kdc' in krb5.conf 2026-04-07T13:06:31+00:00 Pavel Filipenský pfilipensky@samba.org 2026-03-23T18:03:34+00:00 689f9d49c3715240a28d9d898c6b83be4ee18971 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15999 Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15999

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 s3:libads: Allocate cli_credentials on a stackframe 2026-01-23T11:20:28+00:00 Pavel Filipenský pfilipensky@samba.org 2026-01-22T13:27:09+00:00 4c657abaa0a65cb1922b966a419b1dbb2be274b2 This fixes: ERROR: talloc_free with references at ../../source3/libads/ldap_utils.c:158 What happens: * `struct cli_credentials *creds` is allocated on `ads` talloc context * gensec_set_credentials() creates a talloc_reference to `creds` * TALLOC_FREE(creds) sees two parents and complains All other code is using temporary talloc_stackframe() for `creds`. Do it here as well. Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jan 23 11:20:28 UTC 2026 on atb-devel-224 
This fixes:
ERROR: talloc_free with references at ../../source3/libads/ldap_utils.c:158

What happens:

* `struct cli_credentials *creds` is allocated on `ads` talloc context
* gensec_set_credentials() creates a talloc_reference to `creds`
* TALLOC_FREE(creds) sees two parents and complains

All other code is using temporary talloc_stackframe() for `creds`.
Do it here as well.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 23 11:20:28 UTC 2026 on atb-devel-224
s3:libads: Separate use of ads->config.flags for NBT_* and DS_* values 2026-01-22T09:14:25+00:00 Pavel Filipenský pfilipensky@samba.org 2026-01-18T00:04:11+00:00 7483903575eab97773a992149d64511d5ec6f256 Use of ads->config.flags is overloaded. It is used to: - pass DS_* flags down to cldap_netlogon() - store the server_type from NETLOGON_SAM_LOGON_RESPONSE Both cases use different values and cannot be combined. E.g. flags mess up with value 0x00000080 NBT_SERVER_CLOSEST 0x00000080 DS_PDC_REQUIRED 0x00000080 Let's create two separate flags nbt_server_type server_flags; /* NBT_* cldap flags identifying the services. */ uint32 required_flags; /* DS_* - Netlogon flags */ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15972 Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org> Autobuild-Date(master): Thu Jan 22 09:14:25 UTC 2026 on atb-devel-224 
Use of ads->config.flags is overloaded.

It is used to:

- pass DS_* flags down to cldap_netlogon()
- store the server_type from NETLOGON_SAM_LOGON_RESPONSE

Both cases use different values and cannot be combined.
E.g. flags mess up with value 0x00000080

NBT_SERVER_CLOSEST  0x00000080
DS_PDC_REQUIRED     0x00000080

Let's create two separate flags

nbt_server_type server_flags; /* NBT_* cldap flags identifying the services. */
uint32 required_flags; /* DS_* - Netlogon flags */

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15972

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Thu Jan 22 09:14:25 UTC 2026 on atb-devel-224
s3:libads: Reset ads->config.flags in ads_disconnect() 2026-01-22T08:11:34+00:00 Pavel Filipenský pfilipensky@samba.org 2026-01-19T13:33:52+00:00 9f3a35991feb01a8d2c2b69fa0b914bbc637a809 This is doing the same thing in ads_disconnect() as commit a26f535 Clear previous CLDAP ping flags when reusing the ADS_STRUCT did in ads_current_time() In this case we: 1) found cached ADS_STRUCT which already has ads->config.flags set: lookup_groupmem() ads_cached_connection() ads_cached_connection_reuse() 2) started search which immediately timeouts (the cached conn. was dead) ads_do_search_retry_internal() ldap_search_with_timeout() - IO_TIMEOUT 3) Retry loop finds a new DC and tries to connect ads_do_search_retry_internal() ads_disconnect() ads_find_dc() ads_try_connect() netlogon_pings() check_cldap_reply_required_flags() 4) check_cldap_reply_required_flags() fails since ads->config.flags (stored possibly long time ago) contain: NBT_SERVER_CLOSEST 0x00000080 which is misinterpreted as: DS_PDC_REQUIRED 0x00000080 the newly found DC is not PDC (we asked for DS_ONLY_LDAP_NEEDED) and since previous DC had NBT_SERVER_CLOSEST we want DS_PDC_REQUIRED and fail. We should anyway avoid mixing independent namespaces NBT_* and DS_* in the same flag. Next commit will do that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15972 Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
This is doing the same thing in ads_disconnect() as commit
a26f535 Clear previous CLDAP ping flags when reusing the ADS_STRUCT
did in ads_current_time()

In this case we:

1) found cached ADS_STRUCT which already has ads->config.flags set:

  lookup_groupmem()
    ads_cached_connection()
      ads_cached_connection_reuse()

2) started search which immediately timeouts (the cached conn. was dead)

  ads_do_search_retry_internal()
    ldap_search_with_timeout() - IO_TIMEOUT

3) Retry loop finds a new DC and tries to connect

  ads_do_search_retry_internal()
    ads_disconnect()
    ads_find_dc()
    ads_try_connect()
      netlogon_pings()
        check_cldap_reply_required_flags()

4) check_cldap_reply_required_flags() fails since ads->config.flags
   (stored possibly long time ago) contain:

   NBT_SERVER_CLOSEST  0x00000080
     which is misinterpreted as:
   DS_PDC_REQUIRED     0x00000080

   the newly found DC is not PDC (we asked for DS_ONLY_LDAP_NEEDED)
   and since previous DC had NBT_SERVER_CLOSEST we want DS_PDC_REQUIRED
   and fail.

We should anyway avoid mixing independent namespaces  NBT_* and DS_*
in the same flag.
Next commit will do that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15972

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 s3:libads: Do not reduce the page size in case of immediate timeouts 2026-01-21T11:38:40+00:00 Pavel Filipenský pfilipensky@samba.org 2026-01-19T18:50:37+00:00 52c67b07210dc6ba21ffa538406eb0092ee52717 Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Jan 21 11:38:40 UTC 2026 on atb-devel-224 
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jan 21 11:38:40 UTC 2026 on atb-devel-224
s3:libads: Fix trailing whitespaces in ldap_utils.c 2026-01-21T10:34:33+00:00 Pavel Filipenský pfilipensky@samba.org 2026-01-19T18:47:25+00:00 4264dd742154d5b62425953bb27fd242291802d1 Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 s3:libads: Set NT_STATUS_UNSUCCESSFUL for IP address entry 2026-01-21T10:34:33+00:00 Andreas Schneider asn@samba.org 2026-01-14T14:50:26+00:00 9e1bcf84d8a8386fb00aedf88e71b28504e449b4 This is what we do in libads/ldap.c too. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15975 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 
This is what we do in libads/ldap.c too.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15975

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
s3:libsmb: Rework check_negative_conn_cache() 2026-01-13T17:00:06+00:00 Andreas Schneider asn@samba.org 2026-01-12T16:03:35+00:00 b2866ad88163ca1dd25a4d54c64f8d98dfa3a4ba The name and results are confusing. Rename the function and use a bool that it is easier to understand. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Jan 13 17:00:06 UTC 2026 on atb-devel-224 
The name and results are confusing. Rename the function and use a bool that it
is easier to understand.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan 13 17:00:06 UTC 2026 on atb-devel-224
s3:libads: Set udp_preference_limit = 0 for MIT Kerberos 2025-12-03T09:49:45+00:00 Andreas Schneider asn@samba.org 2025-11-27T10:04:30+00:00 2c51cf118a1d9b7a5956a62e71df8fa1e576599c This option enable TCP connection before UDP, when sending a message to the KDC. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> 
This option enable TCP connection before UDP, when sending a message to
the KDC.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 s3:libads: Set a request timeout for Kerberos requests 2025-12-03T09:49:45+00:00 Andreas Schneider asn@samba.org 2025-11-19T13:42:24+00:00 92601536ba0490bdfb5dd632fff2e5c0b541620c Without this, libkrb5 can wait indefinitely after creating a TCP connection. This means winbind is stuck forever till it is restarted. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15955 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> 
Without this, libkrb5 can wait indefinitely after creating a TCP
connection. This means winbind is stuck forever till it is restarted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15955

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>