From 6ce3e107ff0342c17bb4ca07befa1d2073f7a3eb Mon Sep 17 00:00:00 2001
From: Arvid Requate <requate@univention.de>
Date: Mon, 16 Feb 2015 13:33:35 +0100
Subject: [PATCH] S4:dsdb GC LDAP should not return objects from DomainDnsZones

Setting: "Windows Server 2008 R2 Foundation" joined as Memberserver
         to a Samba 4.2 ADDS DC.

Issue: After Logon an error popup is shown with the following text:

         The server did not finish checking the license compliance.
         If the server is joined to a domain, make sure that the server
         can connect to a domain controller. If the license compliant
         check cannot be completed, the server will automatically
         shut down in 9 day(s), 7 hour(s) 30 minute(s).

http://technet.microsoft.com/de-de/library/ee526849%28en-us,WS.10%29.aspx

Analysis: The MS Event Viewer shows that the message originates from the
         Forest Trust Check performed by the Server Infrastructure Licensing
         service. Network traces show that shortly before the log entries
         the client performs an LDAP search equivalent to

         ldbsearch -H http://<sambadcip>:3268 -b '' \
	 --controls:domainscope:0 \
	 '(objectCategory=Domain)' canonicalName

         A search like this against the GC port of a native AD 2008 R2 DC
	 does not return any objects from ForestDNSZones or DomainDNSZones
	 partitions.
	 In contrast the Samba LDAP server returns objects from those
	 partitions.
	 This causes the client to perform DNS lookups for
	 _ldap._tcp.pdc._msdcs.DomainDnsZones.<domainname>
	 This request for a non-standard DNS record causes the Forest
	 Trust Check to fail. Creating the record(s) causes the client to
	 perform CLDAP Netlogon requests against the IP with
	 DomainDnsZones.<domainname> as target domain and continue.

This patch modifies the "partition" dsdb module response to this specific
request (GC port, domainscope, empty search base) to not return objects
from the ForestDNSZones and DomainDNSZones application partitions.

Signed-off-by: Arvid Requate <requate@univention.de>
---
 source4/dsdb/samdb/ldb_modules/partition.c | 40 ++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c
index b501ff1..230aa0c 100644
--- a/source4/dsdb/samdb/ldb_modules/partition.c
+++ b/source4/dsdb/samdb/ldb_modules/partition.c
@@ -605,6 +605,35 @@ static int partition_search(struct ldb_module *module, struct ldb_request *req)
 	lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
 						struct loadparm_context);
 
+	// Determine forestdnszones_dn for comparison below
+	struct ldb_dn *forestdnszones_dn = ldb_dn_copy(ac, ldb_get_default_basedn(ldb));
+	if (!forestdnszones_dn) {
+		return ldb_oom(ldb_module_get_ctx(module));
+	}
+	if (!ldb_dn_add_child_fmt(forestdnszones_dn, "DC=ForestDnsZones")) {
+		return ldb_oom(ldb_module_get_ctx(module));
+	}
+
+	// Determine domaindnszones_dn for comparison below
+	struct ldb_dn *domaindnszones_dn = ldb_dn_copy(ac, ldb_get_default_basedn(ldb));
+	if (!domaindnszones_dn) {
+		return ldb_oom(ldb_module_get_ctx(module));
+	}
+	if (!ldb_dn_add_child_fmt(domaindnszones_dn, "DC=DomainDnsZones")) {
+		return ldb_oom(ldb_module_get_ctx(module));
+	}
+
+	/* Don't return application partitions on GC search */
+	if (!no_gc_control ) {	// not set by ldap_backend.c:ldapsrv_SearchRequest for GC port searches
+		// This behaviour was found on a Windows Server 2008R2 Foundation
+		// Looks like it's generally true that AD GC search doesn't return Forest+DomainDNSZones
+		// let's only treat the Windows Server 2008R2 Foundation case for now:
+		if (ldb_dn_is_null(req->op.search.base) && domain_scope_control) {
+			// workaround: set base to avoid partition_send_all below, skip Forest and DomainDNSZones
+			req->op.search.base = ldb_dn_copy(ac, ldb_get_default_basedn(ldb));
+		}
+	}
+
 	/* Search from the base DN */
 	if (ldb_dn_is_null(req->op.search.base)) {
 		if (!phantom_root) {
@@ -628,6 +657,17 @@ static int partition_search(struct ldb_module *module, struct ldb_request *req)
 		}
 
 		if (phantom_root) {
+
+			/* Don't return application partitions on GC search */
+			if (!no_gc_control && domain_scope_control) {
+				if (ldb_dn_compare(data->partitions[i]->ctrl->dn, forestdnszones_dn) == 0) {
+					continue;
+				}
+				if (ldb_dn_compare(data->partitions[i]->ctrl->dn, domaindnszones_dn) == 0) {
+					continue;
+				}
+			}
+
 			/* Phantom root: Find all partitions under the
 			 * search base. We match if:
 			 *
-- 
2.1.4