sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-01 05:47:28 +03:00
Code

s4-rpc_server: Pre-check destination_dsa_guid in GetNCChanges for validity

Browse Source 
This allows our new tests to pass as these need to be checked first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2023-01-25 14:18:11 +13:00 committed by Stefan Metzmacher
parent 09ec6a1db2
commit 115a3a1044
2 changed files with 39 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
selftest/knownfail.d/getncchanges
View File

@ -5,6 +5,4 @@ samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegri
samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_and_anc\(promoted_dc\)
samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_multivalued_links\(promoted_dc\)
# New tests for GetNCChanges with a GUID and a bad DN, like Azure AD Cloud Sync
^samba4.drs.getnc_exop.python\(.*\).getnc_exop.DrsReplicaSyncTestCase.test_InvalidDestDSA_and_GUID
^samba4.drs.getnc_exop.python\(.*\).getnc_exop.DrsReplicaSyncTestCase.test_InvalidDestDSA_and_GUID_RID_ALLOC
^samba4.drs.getnc_exop.python\(.*\).getnc_exop.DrsReplicaSyncTestCase.test_DummyDN_valid_GUID_REPL_SECRET

42
source4/rpc_server/drsuapi/getncchanges.c
View File

@ -2774,9 +2774,45 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
return WERR_DS_DRA_SOURCE_DISABLED;
}
/* Perform access checks. */
/* TODO: we need to support a sync on a specific non-root
* DN. We'll need to find the real partition root here */
/*
* Help our tests pass by pre-checking the
* destination_dsa_guid before the NC permissions. Info on
* valid DSA GUIDs is not sensitive so this isn't a leak
*/
switch (req10->extended_op) {
case DRSUAPI_EXOP_FSMO_REQ_ROLE:
case DRSUAPI_EXOP_FSMO_RID_ALLOC:
case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE:
case DRSUAPI_EXOP_FSMO_REQ_PDC:
case DRSUAPI_EXOP_FSMO_ABANDON_ROLE:
{
const char *attrs[] = { NULL };
ret = samdb_get_ntds_obj_by_guid(mem_ctx,
sam_ctx,
&req10->destination_dsa_guid,
attrs,
NULL);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
/*
* Error out with an EXOP error but success at
* the top level return value
*/
r->out.ctr->ctr6.extended_ret = DRSUAPI_EXOP_ERR_UNKNOWN_CALLER;
return WERR_OK;
} else if (ret != LDB_SUCCESS) {
return WERR_DS_DRA_INTERNAL_ERROR;
}
break;
}
case DRSUAPI_EXOP_REPL_SECRET:
case DRSUAPI_EXOP_REPL_OBJ:
case DRSUAPI_EXOP_NONE:
break;
}
/* Perform access checks. */
ncRoot = req10->naming_context;
if (ncRoot == NULL) {
DEBUG(0,(__location__ ": Request for DsGetNCChanges with no NC\n"));