s4-rpc_server/drsuapi: Avoid modification to ncRoot input variable in GetNCChanges

This tries to avoid it appearing that ncRoot is a value that can
be trusted and used internally by not updating it and instead leaving
it just as an input/echo-back value.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 548f141f11e89d335d8f9d74ab6925fa6b90fb84)

diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 92fa7ba75752b09468178fd6b08d7863ae4f1c96..c3806f9e6deef3cef17cbe72fb50f42f21114e8b 100644 (file)
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -3185,7 +3185,6 @@ allowed:
 
                getnc_state->ncRoot_guid = samdb_result_guid(res->msgs[0],
                                                             "objectGUID");
-               ncRoot->guid = getnc_state->ncRoot_guid;
 
                /* find out if we are to replicate Schema NC */
                ret = ldb_dn_compare_base(ldb_get_schema_basedn(sam_ctx),
@@ -3195,8 +3194,6 @@ allowed:
                TALLOC_FREE(res);
        }
 
-       ncRoot->guid = getnc_state->ncRoot_guid;
-
        /* we need the session key for encrypting password attributes */
        status = dcesrv_auth_session_key(dce_call, &session_key);
        if (!NT_STATUS_IS_OK(status)) {
@@ -3378,11 +3375,19 @@ allowed:
        if (r->out.ctr->ctr6.naming_context == NULL) {
                return WERR_NOT_ENOUGH_MEMORY;
        }
+
+       /*
+        * Match Windows and echo back the original values from the request, even if
+        * they say DummyDN for the string NC
+        */
        *r->out.ctr->ctr6.naming_context = *ncRoot;
 
        /* find the SID if there is one */
        dsdb_find_sid_by_dn(sam_ctx, getnc_state->ncRoot_dn, &r->out.ctr->ctr6.naming_context->sid);
 
+       /* Set GUID */
+       r->out.ctr->ctr6.naming_context->guid = getnc_state->ncRoot_guid;
+
        dsdb_get_oid_mappings_drsuapi(schema, true, mem_ctx, &ctr);
        r->out.ctr->ctr6.mapping_ctr = *ctr;