The Samba-Bugzilla – Attachment 14813 Details for
Bug 13771
Access to the dnsserver RPC pipe is restricted on Windows
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Return access denied code
0001-dnsserver-Return-access-denied-to-the-caller-if-the-.patch (text/plain), 4.04 KB, created by
Garming Sam
on 2019-02-01 01:34:35 UTC
(
hide
)
Description:
Return access denied code
Filename:
MIME Type:
Creator:
Garming Sam
Created:
2019-02-01 01:34:35 UTC
Size:
4.04 KB
patch
obsolete
>From f64b7ae70e08a6be30d761822dd2ea1587e300dc Mon Sep 17 00:00:00 2001 >From: Garming Sam <garming@catalyst.net.nz> >Date: Fri, 1 Feb 2019 14:11:18 +1300 >Subject: [PATCH] dnsserver: Return access denied to the caller if the user was > not a DNS admin > >This is not a proper fix to match Windows, but at the very least, it >should be more obvious to users (using samba-tool for instance), that >the user needs to be given more access or that they should use the >administrator. > >Windows seems to deny access altogether by returning a fault after they >have bound to the pipe and actually sent an operation. > >Signed-off-by: Garming Sam <garming@catalyst.net.nz> >--- > source4/rpc_server/dnsserver/dnsdb.c | 32 +++++++++++++++++++++++++------- > 1 file changed, 25 insertions(+), 7 deletions(-) > >diff --git a/source4/rpc_server/dnsserver/dnsdb.c b/source4/rpc_server/dnsserver/dnsdb.c >index 81af5f1..9ee50d8 100644 >--- a/source4/rpc_server/dnsserver/dnsdb.c >+++ b/source4/rpc_server/dnsserver/dnsdb.c >@@ -273,7 +273,8 @@ failed: > /* Increment serial number and update timestamp */ > static unsigned int dnsserver_update_soa(TALLOC_CTX *mem_ctx, > struct ldb_context *samdb, >- struct dnsserver_zone *z) >+ struct dnsserver_zone *z, >+ WERROR *werr) > { > const char * const attrs[] = { "dnsRecord", NULL }; > struct ldb_result *res; >@@ -282,6 +283,8 @@ static unsigned int dnsserver_update_soa(TALLOC_CTX *mem_ctx, > enum ndr_err_code ndr_err; > int ret, i, serial = -1; > >+ *werr = WERR_INTERNAL_DB_ERROR; >+ > ret = ldb_search(samdb, mem_ctx, &res, z->zone_dn, LDB_SCOPE_ONELEVEL, attrs, > "(&(objectClass=dnsNode)(name=@))"); > if (ret != LDB_SUCCESS || res->count == 0) { >@@ -309,6 +312,7 @@ static unsigned int dnsserver_update_soa(TALLOC_CTX *mem_ctx, > ndr_err = ndr_push_struct_blob(&el->values[i], mem_ctx, &rec, > (ndr_push_flags_fn_t)ndr_push_dnsp_DnssrvRpcRecord); > if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { >+ *werr = WERR_NOT_ENOUGH_MEMORY; > return -1; > } > break; >@@ -319,10 +323,15 @@ static unsigned int dnsserver_update_soa(TALLOC_CTX *mem_ctx, > el->flags = LDB_FLAG_MOD_REPLACE; > ret = ldb_modify(samdb, res->msgs[0]); > if (ret != LDB_SUCCESS) { >+ if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { >+ *werr = WERR_ACCESS_DENIED; >+ } > return -1; > } > } > >+ *werr = WERR_OK; >+ > return serial; > } > >@@ -444,9 +453,9 @@ WERROR dnsserver_db_add_record(TALLOC_CTX *mem_ctx, > rec->rank |= DNS_RANK_ROOT_HINT; > } > >- serial = dnsserver_update_soa(mem_ctx, samdb, z); >+ serial = dnsserver_update_soa(mem_ctx, samdb, z, &werr); > if (serial < 0) { >- return WERR_INTERNAL_DB_ERROR; >+ return werr; > } > > rec->dwSerial = serial; >@@ -608,9 +617,9 @@ WERROR dnsserver_db_update_record(TALLOC_CTX *mem_ctx, > > /* If updating SOA record, use specified serial, otherwise increment */ > if (arec->wType != DNS_TYPE_SOA) { >- serial = dnsserver_update_soa(mem_ctx, samdb, z); >+ serial = dnsserver_update_soa(mem_ctx, samdb, z, &werr); > if (serial < 0) { >- return WERR_INTERNAL_DB_ERROR; >+ return werr; > } > arec->dwSerial = serial; > } >@@ -647,9 +656,9 @@ WERROR dnsserver_db_delete_record(TALLOC_CTX *mem_ctx, > int serial; > WERROR werr; > >- serial = dnsserver_update_soa(mem_ctx, samdb, z); >+ serial = dnsserver_update_soa(mem_ctx, samdb, z, &werr); > if (serial < 0) { >- return WERR_INTERNAL_DB_ERROR; >+ return werr; > } > > werr = dns_to_dnsp_convert(mem_ctx, del_record, &rec, false); >@@ -998,6 +1007,11 @@ static WERROR dnsserver_db_do_create_zone(TALLOC_CTX *tmp_ctx, > if (ret != LDB_SUCCESS) { > DEBUG(0, ("dnsserver: Failed to create zone (%s): %s\n", > z->name, ldb_errstring(samdb))); >+ >+ if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { >+ return WERR_ACCESS_DENIED; >+ } >+ > return WERR_INTERNAL_DB_ERROR; > } > >@@ -1131,6 +1145,10 @@ WERROR dnsserver_db_delete_zone(struct ldb_context *samdb, > ret = dsdb_delete(samdb, zone->zone_dn, DSDB_TREE_DELETE); > if (ret != LDB_SUCCESS) { > ldb_transaction_cancel(samdb); >+ >+ if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) { >+ return WERR_ACCESS_DENIED; >+ } > return WERR_INTERNAL_DB_ERROR; > } > >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14813">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13771
: 14813