13771 – Access to the dnsserver RPC pipe is restricted on Windows

Bug 13771 - Access to the dnsserver RPC pipe is restricted on Windows

Summary: Access to the dnsserver RPC pipe is restricted on Windows

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DCE-RPCs and pipes (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-02-01 01:34 UTC by Garming Sam
Modified:	2019-02-01 10:25 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Return access denied code (4.04 KB, patch) 2019-02-01 01:34 UTC, Garming Sam	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Garming Sam 2019-02-01 01:34:35 UTC

Created attachment 14813 [details]
Return access denied code

Connecting to Windows and attempting any DNS operations appears to trigger DCERPC faults with an unprivileged user. In Samba, we attempt to apply the operation and if they lack the sufficient LDAP privileges we error out (and often giving a bad error message).

More investigation is required into whether or not every operation is actually disallowed or what privileges are required. In the meantime, I've written a patch just to improve our error codes to show that the user got an obvious access denied (and samba-tool can also see the access denied), which it should hit in most cases.