From 9aa440d52d78d5f91607b4cb5816ae99d75d0838 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 30 May 2023 18:03:13 +1200 Subject: [PATCH] s4-rpc_server: Filter via dsdb_dc_functional_level() before we are returning a lookup directly Otherwise, punt to winbindd to see if another DC has this capability. This allows a FL2008-emulating DC to forward a request to a 2012R2-emlating DC, particularly in another domain. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 31 04:59:01 UTC 2023 on atb-devel-224 --- selftest/knownfail.d/getdcname | 3 -- source4/rpc_server/netlogon/dcerpc_netlogon.c | 51 ++++++++++++++----- 2 files changed, 38 insertions(+), 16 deletions(-) delete mode 100644 selftest/knownfail.d/getdcname diff --git a/selftest/knownfail.d/getdcname b/selftest/knownfail.d/getdcname deleted file mode 100644 index 30d5fc7eda2..00000000000 --- a/selftest/knownfail.d/getdcname +++ /dev/null @@ -1,3 +0,0 @@ -^samba.tests.getdcname.samba.tests.getdcname.GetDCNameEx.test_get_dc_direct_need_2012r2_but_not_found\(fl2008r2dc\) -^samba.tests.getdcname.samba.tests.getdcname.GetDCNameEx.test_get_dc_direct_need_2012r2_but_not_found_fallback -^samba.tests.getdcname.samba.tests.getdcname.GetDCNameEx.test_get_dc_direct_need_web_but_not_found diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index b06b542791d..9d9b6c792ab 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -3192,7 +3192,9 @@ static WERROR dcesrv_netr_DsRGetDCName_base_call(struct dcesrv_netr_DsRGetDCName const char *domain_name = NULL; const char *pdc_ip; bool different_domain = true; + bool force_remote_lookup = false; uint32_t valid_flags; + uint32_t this_dc_valid_flags; int dc_level; ZERO_STRUCTP(r->out.info); @@ -3257,17 +3259,8 @@ static WERROR dcesrv_netr_DsRGetDCName_base_call(struct dcesrv_netr_DsRGetDCName * ... */ - dc_level = dsdb_dc_functional_level(sam_ctx); valid_flags = DSGETDC_VALID_FLAGS; - if (dc_level >= DS_DOMAIN_FUNCTION_2012) { - valid_flags |= DS_DIRECTORY_SERVICE_8_REQUIRED; - } - if (dc_level >= DS_DOMAIN_FUNCTION_2012_R2) { - valid_flags |= DS_DIRECTORY_SERVICE_9_REQUIRED; - } - if (dc_level >= DS_DOMAIN_FUNCTION_2016) { - valid_flags |= DS_DIRECTORY_SERVICE_10_REQUIRED; - } + if (r->in.flags & ~valid_flags) { /* * TODO: add tests to prove this (maybe based on the @@ -3362,12 +3355,44 @@ static WERROR dcesrv_netr_DsRGetDCName_base_call(struct dcesrv_netr_DsRGetDCName different_domain = false; } + if (!different_domain) { + dc_level = dsdb_dc_functional_level(sam_ctx); + + /* + * Do not return a local response if we do not support the + * functional level or feature (eg web services) + */ + this_dc_valid_flags = valid_flags; + + /* Samba does not implement this */ + this_dc_valid_flags &= ~DS_WEB_SERVICE_REQUIRED; + + if (dc_level < DS_DOMAIN_FUNCTION_2012) { + this_dc_valid_flags &= ~DS_DIRECTORY_SERVICE_8_REQUIRED; + } + if (dc_level < DS_DOMAIN_FUNCTION_2012_R2) { + this_dc_valid_flags &= ~DS_DIRECTORY_SERVICE_9_REQUIRED; + } + if (dc_level < DS_DOMAIN_FUNCTION_2016) { + this_dc_valid_flags &= ~DS_DIRECTORY_SERVICE_10_REQUIRED; + } + if (r->in.flags & ~this_dc_valid_flags) { + DBG_INFO("Forcing remote lookup to find another DC " + "in this domain %s with more features, " + "as this Samba DC is Functional level %d but flags are 0x08%x\n", + r->in.domain_name, dc_level, (unsigned int)r->in.flags); + force_remote_lookup = true; + } + } + /* Proof server site parameter "site_name" if it was specified */ server_site_name = samdb_server_site_name(sam_ctx, state); W_ERROR_HAVE_NO_MEMORY(server_site_name); - if (different_domain || (r->in.site_name != NULL && - (strcasecmp_m(r->in.site_name, - server_site_name) != 0))) { + if (force_remote_lookup + || different_domain + || (r->in.site_name != NULL && + (strcasecmp_m(r->in.site_name, + server_site_name) != 0))) { struct dcerpc_binding_handle *irpc_handle = NULL; struct tevent_req *subreq = NULL; -- 2.34.1