[PATCH] Allow GetDCNameEx to be called for arbitrary sites and trusted domains

Stefan Metzmacher metze at samba.org
Thu Mar 29 07:43:54 UTC 2018


Hi Garming,

can you please have a look at
https://git.samba.org/?p=samba.git;a=commitdiff;h=373da95b0b72ec7db8463a
https://git.samba.org/?p=samba.git;a=commitdiff;h=023bd2d15d5e9599c59281
https://git.samba.org/?p=samba.git;a=commitdiff;h=8022b63f6cfadc58d6711e

We use that pattern for a few async calls in already.
dcesrv_netr_LogonSamLogon_base_call(), dcesrv_netr_LogonControl_base_call(),
dcesrv_lsa_LookupSids_base_call(),
dcesrv_lsa_LookupNames_base_call()

I think we should use that pattern also for GetDCName* too.

Also wb_irpc_GetDCName_done() should be moved after wb_irpc_GetDCName(),
that makes it much easier to read and matches the pattern we always use
for async programming, e.g.

        subreq = wb_lookupsids_send(msg,
                                    server_event_context(),
                                    sids, req->in.sids->num_sids);
        if (subreq == NULL) {
                return NT_STATUS_NO_MEMORY;
        }
        tevent_req_set_callback(subreq, wb_irpc_lsa_LookupSids3_done,
state);
        msg->defer_reply = true;

        return NT_STATUS_OK;
}

static void wb_irpc_lsa_LookupSids3_done(struct tevent_req *subreq)
{
        struct wb_irpc_lsa_LookupSids3_state *state =
                tevent_req_callback_data(subreq,
                struct wb_irpc_lsa_LookupSids3_state);
        struct lsa_RefDomainList *domains = NULL;
        struct lsa_TransNameArray *names = NULL;
        NTSTATUS status;
        uint32_t i;

        status = wb_lookupsids_recv(subreq, state->msg,
                                    &domains, &names);


I also think we should have a bug report for that and backport it to
4.8.

It seems that some of the patches fix bugs in a former patch,
these should be squashed to make it easier to understand.

Thanks!
metze

Am 29.03.2018 um 05:04 schrieb Garming Sam via samba-technical:
> New version. Fixed some error handling.
> 
> 
> On 29/03/18 15:29, Garming Sam via samba-technical wrote:
>> Hi,
>>
>> While looking at automatic site coverage (which has already went
>> upstream), I noticed that our DC location calls in NETLOGON are
>> particularly bad. GetDCNameEx only returned WERR_NO_SUCH_DOMAIN when you
>> asked for a site that the DC did not exist in. Furthermore, it did not
>> bother checking the domain, which meant that as long as you supplied a
>> valid site name in both domains, you could get a DC in the wrong domain
>> returned.
>>
>> In order to remedy a large amount of the behaviour, I've implemented a
>> winbind forward call which triggers the dsgetdcname calls (using CLDAP
>> and DNS) in the winbind DC locator process. This allows arbitrary sites
>> to be queried for, and by doing so, the trusted domain case also works too.
>>
>> There are a number of other errors in the RPC call which I have had to
>> fix, including:
>>
>> - Failing to forward the error code from GetDCNameEx2 to GetDCNameEx
>> when it is called internally.
>> - Returning a more appropriate client site name (and avoid a fallback
>> that would be wrong in trusted domains)
>> - Handling of NULL and empty string parameters
>>
>> There appears to still be issues with querying using a NETBIOS domain
>> name (including trusted domains), due to winbind sometimes falling back
>> to NETBIOS queries which have no site-awareness. I've noticed this
>> against Windows and seen it once in testenv, but the particular test I
>> expected to fail seems to consistently pass in make test. I've marked
>> the questionable test in flapping, which may warrant more inspection
>> later on.
>>
>> Please review and push.
>>
>>
>> Cheers,
>>
>> Garming
>>
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180329/3bf30bde/signature.sig>


More information about the samba-technical mailing list