[PATCH] Allow GetDCNameEx to be called for arbitrary sites and trusted domains

Tue Apr 3 22:20:11 UTC 2018

On 04/04/18 02:14, Stefan Metzmacher wrote:
> Yes, much better, but a few little cosmetic things:
>
> - Can you please inline winbind_forward_GetDCName()
>   it's easier to have this all in dcesrv_netr_DsRGetDCName_base_call()
>
> - Please add TALLOC_FREE(subreq); after
>   status = dcerpc_winbind_DsGetDcName_recv()
>
> - It would be good to add a "finished:" label before
>   "if (state->_r.dcex2 != NULL) {" in
>   dcesrv_netr_DsRGetDCName_base_done()
>   and use early "goto finished" in order to reduce the
>   indentation levels.
>
> - Rename irpc_GetDCName_state into wb_irpc_GetDCName_state
>
> - Move the forward declaration of wb_irpc_GetDCName_done()
>   after the 'struct wb_irpc_GetDCName_state' definition.
>
> Now a few logic things:
>
> - Can we really safely dereference state->r.out.info[0]->
>   in dcesrv_netr_DsRGetDCName_base_done() if result is not
>   NT_STATUS_OK?

It only dereferences info if the NTSTATUS of
dcerpc_winbind_DsGetDcName_recv is ok. winbind is supposed to return
DOMAIN_CONTROLLER_NOT_FOUND at this top level. If you want, I can
double-check the info before dereferencing it.

> - dc_unc = talloc_asprintf(state->dce_call, uses the wrong
>   memory context, it should be state->r.out.info[0] (if we can assume a
>   valid talloc pointer) or state->mem_ctx.

I didn't have state->mem_ctx before, so yes, I will change that.

> - Don't we need to check the result of samdb_client_site_name()
>   in dcesrv_netr_DsRGetDCName_base_call() ?

Not really. It can be NULL, and that doesn't mean anything bad has
happened. Returning NULL to the RPC call is also quite expected.

> - Is "netlogon: Resolve calls to GetDCNameEx2 within the same
>   NETLOGON domain" really needed? "The return will have the DNS domain,
>   which is not quite as nice, but it does not seem to violate any
>   assumptions" sounds risky...

So, in general, when you specify the domain name as a NETBIOS name,
Windows seems to return the DC UNC in NETBIOS form (and this follows the
same pattern with DNS names). All this patch means is that we end up
returning DNS names (for DCs outside our site), but if you specify the
flag to return a particular format, everything is as expected. We don't
seem to follow this convention even when we didn't go to winbind. We
seem to need this patch, because against Windows, we must be getting
slightly different results via our DC locator calls and without it, we
get strange intermittent failures even while querying within the same
domain. I haven't really got the time to look at why this might be
happening.

I'll try to fix the other cosmetic issues.

Thanks,

Garming

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180404/31436d0f/signature.sig>