diff options
| author | Stefan Metzmacher <metze@samba.org> | 2021-12-23 18:32:44 +0100 |
|---|---|---|
| committer | Joseph Sutton <jsutton@samba.org> | 2021-12-24 03:03:50 +0000 |
| commit | 9a68025ad391b148166c25b7dec06a7ce12fe4a6 (patch) | |
| tree | 934d0c4797edeb8d96d95ea00bde9594321a5a83 /source4/rpc_server | |
| parent | d9abd7fff58970725fa1375bf0ed210602e45d27 (diff) | |
| download | samba-9a68025ad391b148166c25b7dec06a7ce12fe4a6.tar.gz | |
s4:rpc_server/netlogon: adjust the valid_flags based on dsdb_dc_functional_level()
This allows us to let DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED through
based on the manual changed msDS-Behavior-Version of our NTDSA object.
We still need to have tests depending on the msDS-Behavior-Version
value if the DSGETDC_VALID_FLAGS is really correct at all.
But for now this allows us to test krb5 FAST from Windows clients.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Fri Dec 24 03:03:50 UTC 2021 on sn-devel-184
Diffstat (limited to 'source4/rpc_server')
| -rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 632dfeee613..269bea7c6fc 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -3037,6 +3037,8 @@ static WERROR dcesrv_netr_DsRGetDCName_base_call(struct dcesrv_netr_DsRGetDCName const char *domain_name = NULL; const char *pdc_ip; bool different_domain = true; + uint32_t valid_flags; + int dc_level; ZERO_STRUCTP(r->out.info); @@ -3100,14 +3102,21 @@ static WERROR dcesrv_netr_DsRGetDCName_base_call(struct dcesrv_netr_DsRGetDCName * ... */ - if (r->in.flags & ~(DSGETDC_VALID_FLAGS)) { + dc_level = dsdb_dc_functional_level(sam_ctx); + valid_flags = DSGETDC_VALID_FLAGS; + if (dc_level >= DS_DOMAIN_FUNCTION_2012) { + valid_flags |= DS_DIRECTORY_SERVICE_8_REQUIRED; + } + if (dc_level >= DS_DOMAIN_FUNCTION_2012_R2) { + valid_flags |= DS_DIRECTORY_SERVICE_9_REQUIRED; + } + if (dc_level >= DS_DOMAIN_FUNCTION_2016) { + valid_flags |= DS_DIRECTORY_SERVICE_10_REQUIRED; + } + if (r->in.flags & ~valid_flags) { /* * TODO: add tests to prove this (maybe based on the * msDS-Behavior-Version levels of dc, domain and/or forest - * - * Note that we currently reject - * DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED - * at this stage. */ return WERR_INVALID_FLAGS; } |