[PATCH] Allow GetDCNameEx to be called for arbitrary sites and trusted domains
Stefan Metzmacher
metze at samba.org
Thu Mar 29 07:43:54 UTC 2018
Hi Garming,
can you please have a look at
https://git.samba.org/?p=samba.git;a=commitdiff;h=373da95b0b72ec7db8463a
https://git.samba.org/?p=samba.git;a=commitdiff;h=023bd2d15d5e9599c59281
https://git.samba.org/?p=samba.git;a=commitdiff;h=8022b63f6cfadc58d6711e
We use that pattern for a few async calls in already.
dcesrv_netr_LogonSamLogon_base_call(), dcesrv_netr_LogonControl_base_call(),
dcesrv_lsa_LookupSids_base_call(),
dcesrv_lsa_LookupNames_base_call()
I think we should use that pattern also for GetDCName* too.
Also wb_irpc_GetDCName_done() should be moved after wb_irpc_GetDCName(),
that makes it much easier to read and matches the pattern we always use
for async programming, e.g.
subreq = wb_lookupsids_send(msg,
server_event_context(),
sids, req->in.sids->num_sids);
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
tevent_req_set_callback(subreq, wb_irpc_lsa_LookupSids3_done,
state);
msg->defer_reply = true;
return NT_STATUS_OK;
}
static void wb_irpc_lsa_LookupSids3_done(struct tevent_req *subreq)
{
struct wb_irpc_lsa_LookupSids3_state *state =
tevent_req_callback_data(subreq,
struct wb_irpc_lsa_LookupSids3_state);
struct lsa_RefDomainList *domains = NULL;
struct lsa_TransNameArray *names = NULL;
NTSTATUS status;
uint32_t i;
status = wb_lookupsids_recv(subreq, state->msg,
&domains, &names);
I also think we should have a bug report for that and backport it to
4.8.
It seems that some of the patches fix bugs in a former patch,
these should be squashed to make it easier to understand.
Thanks!
metze
Am 29.03.2018 um 05:04 schrieb Garming Sam via samba-technical:
> New version. Fixed some error handling.
>
>
> On 29/03/18 15:29, Garming Sam via samba-technical wrote:
>> Hi,
>>
>> While looking at automatic site coverage (which has already went
>> upstream), I noticed that our DC location calls in NETLOGON are
>> particularly bad. GetDCNameEx only returned WERR_NO_SUCH_DOMAIN when you
>> asked for a site that the DC did not exist in. Furthermore, it did not
>> bother checking the domain, which meant that as long as you supplied a
>> valid site name in both domains, you could get a DC in the wrong domain
>> returned.
>>
>> In order to remedy a large amount of the behaviour, I've implemented a
>> winbind forward call which triggers the dsgetdcname calls (using CLDAP
>> and DNS) in the winbind DC locator process. This allows arbitrary sites
>> to be queried for, and by doing so, the trusted domain case also works too.
>>
>> There are a number of other errors in the RPC call which I have had to
>> fix, including:
>>
>> - Failing to forward the error code from GetDCNameEx2 to GetDCNameEx
>> when it is called internally.
>> - Returning a more appropriate client site name (and avoid a fallback
>> that would be wrong in trusted domains)
>> - Handling of NULL and empty string parameters
>>
>> There appears to still be issues with querying using a NETBIOS domain
>> name (including trusted domains), due to winbind sometimes falling back
>> to NETBIOS queries which have no site-awareness. I've noticed this
>> against Windows and seen it once in testenv, but the particular test I
>> expected to fail seems to consistently pass in make test. I've marked
>> the questionable test in flapping, which may warrant more inspection
>> later on.
>>
>> Please review and push.
>>
>>
>> Cheers,
>>
>> Garming
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180329/3bf30bde/signature.sig>
More information about the samba-technical
mailing list