s4-drsuapi: Give an error that matches windows on destination_dsa_guid lookup failure

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 31 13:43:54 UTC 2023 on atb-devel-224

(cherry picked from commit 0f2978bbc0ed5b65d75c20472650a749643312e7)

Autobuild-User(v4-17-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-17-test): Fri Feb  3 10:28:42 UTC 2023 on sn-devel-184

2 files changed, 12 insertions, 4 deletions

diff --git a/selftest/knownfail.d/getncchanges b/selftest/knownfail.d/getncchanges
index 7adc669855d..5ef1bc98bef 100644
--- a/selftest/knownfail.d/getncchanges
+++ b/selftest/knownfail.d/getncchanges
@@ -4,5 +4,3 @@ samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegri
 samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_chain\(promoted_dc\)
 samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_and_anc\(promoted_dc\)
 samba4.drs.getncchanges.python\(promoted_dc\).getncchanges.DrsReplicaSyncIntegrityTestCase.test_repl_get_tgt_multivalued_links\(promoted_dc\)
-# New tests for GetNCChanges with a GUID and a bad DN, like Azure AD Cloud Sync
-^samba4.drs.getnc_exop.python\(.*\).getnc_exop.DrsReplicaSyncTestCase.test_DummyDN_valid_GUID_REPL_SECRET
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index ca805d9f958..74b173c3965 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -1201,6 +1201,7 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
 	const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL };
 	struct ldb_result *rodc_res = NULL, *obj_res = NULL;
 	WERROR werr;
+	struct GUID_txt_buf guid_buf;
 
 	DEBUG(3,(__location__ ": DRSUAPI_EXOP_REPL_SECRET extended op on %s\n",
 		 drs_ObjectIdentifier_to_debug_string(mem_ctx, ncRoot)));
@@ -1231,7 +1232,7 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
 					 ntds_attrs,
 					 &ntds_msg);
 	if (ret != LDB_SUCCESS) {
-		goto failed;
+		goto dest_dsa_error;
 	}
 
 	ntds_dn = ntds_msg->dn;
@@ -1245,7 +1246,7 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
 				 "serverReference", machine_dn);
 
 	if (ret != LDB_SUCCESS) {
-		goto failed;
+		goto dest_dsa_error;
 	}
 
 	/*
@@ -1346,6 +1347,15 @@ failed:
 		 ldb_dn_get_linearized(obj_dn), dom_sid_string(mem_ctx, user_sid)));
 	ctr6->extended_ret = DRSUAPI_EXOP_ERR_NONE;
 	return WERR_DS_DRA_BAD_DN;
+
+dest_dsa_error:
+	DBG_WARNING("Failed secret replication for %s by RODC %s as dest_dsa_guid %s is invalid\n",
+		    ldb_dn_get_linearized(obj_dn),
+		    dom_sid_string(mem_ctx, user_sid),
+		    GUID_buf_string(&req10->destination_dsa_guid,
+				    &guid_buf));
+	ctr6->extended_ret = DRSUAPI_EXOP_ERR_NONE;
+	return WERR_DS_DRA_DB_ERROR;
 }
 
 /*