[PATCH] Allow GetDCNameEx to be called for arbitrary sites and trusted domains

Stefan Metzmacher metze at samba.org
Thu Mar 29 07:43:54 UTC 2018

Hi Garming,

can you please have a look at

We use that pattern for a few async calls in already.
dcesrv_netr_LogonSamLogon_base_call(), dcesrv_netr_LogonControl_base_call(),

I think we should use that pattern also for GetDCName* too.

Also wb_irpc_GetDCName_done() should be moved after wb_irpc_GetDCName(),
that makes it much easier to read and matches the pattern we always use
for async programming, e.g.

        subreq = wb_lookupsids_send(msg,
                                    sids, req->in.sids->num_sids);
        if (subreq == NULL) {
                return NT_STATUS_NO_MEMORY;
        tevent_req_set_callback(subreq, wb_irpc_lsa_LookupSids3_done,
        msg->defer_reply = true;

        return NT_STATUS_OK;

static void wb_irpc_lsa_LookupSids3_done(struct tevent_req *subreq)
        struct wb_irpc_lsa_LookupSids3_state *state =
                struct wb_irpc_lsa_LookupSids3_state);
        struct lsa_RefDomainList *domains = NULL;
        struct lsa_TransNameArray *names = NULL;
        NTSTATUS status;
        uint32_t i;

        status = wb_lookupsids_recv(subreq, state->msg,
                                    &domains, &names);

I also think we should have a bug report for that and backport it to

It seems that some of the patches fix bugs in a former patch,
these should be squashed to make it easier to understand.


Am 29.03.2018 um 05:04 schrieb Garming Sam via samba-technical:
> New version. Fixed some error handling.
> On 29/03/18 15:29, Garming Sam via samba-technical wrote:
>> Hi,
>> While looking at automatic site coverage (which has already went
>> upstream), I noticed that our DC location calls in NETLOGON are
>> particularly bad. GetDCNameEx only returned WERR_NO_SUCH_DOMAIN when you
>> asked for a site that the DC did not exist in. Furthermore, it did not
>> bother checking the domain, which meant that as long as you supplied a
>> valid site name in both domains, you could get a DC in the wrong domain
>> returned.
>> In order to remedy a large amount of the behaviour, I've implemented a
>> winbind forward call which triggers the dsgetdcname calls (using CLDAP
>> and DNS) in the winbind DC locator process. This allows arbitrary sites
>> to be queried for, and by doing so, the trusted domain case also works too.
>> There are a number of other errors in the RPC call which I have had to
>> fix, including:
>> - Failing to forward the error code from GetDCNameEx2 to GetDCNameEx
>> when it is called internally.
>> - Returning a more appropriate client site name (and avoid a fallback
>> that would be wrong in trusted domains)
>> - Handling of NULL and empty string parameters
>> There appears to still be issues with querying using a NETBIOS domain
>> name (including trusted domains), due to winbind sometimes falling back
>> to NETBIOS queries which have no site-awareness. I've noticed this
>> against Windows and seen it once in testenv, but the particular test I
>> expected to fail seems to consistently pass in make test. I've marked
>> the questionable test in flapping, which may warrant more inspection
>> later on.
>> Please review and push.
>> Cheers,
>> Garming

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180329/3bf30bde/signature.sig>

More information about the samba-technical mailing list