s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored

If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun  6 03:18:16 UTC 2024 on atb-devel-224

selftest/knownfail.d/dns_tkey

@@ -1,3 +0,0 @@
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_windows.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_wo_tsig.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_record_access_denied.fl2008r2dc

source4/dns_server/dns_update.c

@@ -570,6 +570,8 @@ static WERROR handle_one_update(struct dns_server *dns,
 		W_ERROR_NOT_OK_RETURN(werror);
 
 		for (i = first; i < rcount; i++) {
+			struct dnsp_DnssrvRpcRecord orig_rec = recs[i];
+
 			if (!dns_record_match(&recs[i], &recs[rcount])) {
 				continue;
 			}
@@ -583,6 +585,15 @@ static WERROR handle_one_update(struct dns_server *dns,
 			werror = dns_replace_records(dns, mem_ctx, dn,
 						     needs_add, recs, rcount);
 			DBG_DEBUG("dns_replace_records(REPLACE): %s\n", win_errstr(werror));
+			if (W_ERROR_EQUAL(werror, WERR_ACCESS_DENIED) &&
+			    !needs_add &&
+			    orig_rec.dwTtlSeconds == recs[i].dwTtlSeconds)
+			{
+				DBG_NOTICE("dns_replace_records(REPLACE): %s "
+					    "=> skip no-op\n",
+					    win_errstr(werror));
+				werror = WERR_OK;
+			}
 			W_ERROR_NOT_OK_RETURN(werror);
 
 			return WERR_OK;