diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2023-01-25 14:18:11 +1300 |
|---|---|---|
| committer | Jule Anger <janger@samba.org> | 2023-02-01 16:30:11 +0000 |
| commit | 262fef5acbff53e6a4e8cc654ddf1ce7accc9e20 (patch) | |
| tree | f03db08d8e88fb17328dfb4e52ce906f48983ba4 | |
| parent | 68edd5c1c7f0e6cbd929cd592b79f89cb2c8369f (diff) | |
| download | samba-262fef5acbff53e6a4e8cc654ddf1ce7accc9e20.tar.gz | |
s4-rpc_server: Pre-check destination_dsa_guid in GetNCChanges for validity
This allows our new tests to pass as these need to be checked first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 115a3a10440f44ba11029be5ae3a05534a7b98c0)
| -rw-r--r-- | selftest/knownfail.d/getncchanges | 2 | ||||
| -rw-r--r-- | source4/rpc_server/drsuapi/getncchanges.c | 42 |
2 files changed, 39 insertions, 5 deletions
diff --git a/selftest/knownfail.d/getncchanges b/selftest/knownfail.d/getncchanges index e97f61b10a4..7adc669855d 100644 --- a/selftest/knownfail.d/getncchanges +++ b/selftest/knownfail.d/getncchanges @@ -5,6 +5,4 @@ samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegri samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_and_anc\(promoted_dc\) samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_multivalued_links\(promoted_dc\) # New tests for GetNCChanges with a GUID and a bad DN, like Azure AD Cloud Sync -^samba4.drs.getnc_exop.python\(.*\).getnc_exop.DrsReplicaSyncTestCase.test_InvalidDestDSA_and_GUID -^samba4.drs.getnc_exop.python\(.*\).getnc_exop.DrsReplicaSyncTestCase.test_InvalidDestDSA_and_GUID_RID_ALLOC ^samba4.drs.getnc_exop.python\(.*\).getnc_exop.DrsReplicaSyncTestCase.test_DummyDN_valid_GUID_REPL_SECRET diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index 0e4272a9b62..57bd50b1268 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -2774,9 +2774,45 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return WERR_DS_DRA_SOURCE_DISABLED; } - /* Perform access checks. */ - /* TODO: we need to support a sync on a specific non-root - * DN. We'll need to find the real partition root here */ + /* + * Help our tests pass by pre-checking the + * destination_dsa_guid before the NC permissions. Info on + * valid DSA GUIDs is not sensitive so this isn't a leak + */ + switch (req10->extended_op) { + case DRSUAPI_EXOP_FSMO_REQ_ROLE: + case DRSUAPI_EXOP_FSMO_RID_ALLOC: + case DRSUAPI_EXOP_FSMO_RID_REQ_ROLE: + case DRSUAPI_EXOP_FSMO_REQ_PDC: + case DRSUAPI_EXOP_FSMO_ABANDON_ROLE: + { + const char *attrs[] = { NULL }; + + ret = samdb_get_ntds_obj_by_guid(mem_ctx, + sam_ctx, + &req10->destination_dsa_guid, + attrs, + NULL); + if (ret == LDB_ERR_NO_SUCH_OBJECT) { + /* + * Error out with an EXOP error but success at + * the top level return value + */ + r->out.ctr->ctr6.extended_ret = DRSUAPI_EXOP_ERR_UNKNOWN_CALLER; + return WERR_OK; + } else if (ret != LDB_SUCCESS) { + return WERR_DS_DRA_INTERNAL_ERROR; + } + + break; + } + case DRSUAPI_EXOP_REPL_SECRET: + case DRSUAPI_EXOP_REPL_OBJ: + case DRSUAPI_EXOP_NONE: + break; + } + + /* Perform access checks. */ ncRoot = req10->naming_context; if (ncRoot == NULL) { DEBUG(0,(__location__ ": Request for DsGetNCChanges with no NC\n")); |