Bug 13771 - Access to the dnsserver RPC pipe is restricted on Windows
Summary: Access to the dnsserver RPC pipe is restricted on Windows
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-01 01:34 UTC by Garming Sam
Modified: 2019-02-01 10:25 UTC (History)
1 user (show)

See Also:


Attachments
Return access denied code (4.04 KB, patch)
2019-02-01 01:34 UTC, Garming Sam
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Garming Sam 2019-02-01 01:34:35 UTC
Created attachment 14813 [details]
Return access denied code

Connecting to Windows and attempting any DNS operations appears to trigger DCERPC faults with an unprivileged user. In Samba, we attempt to apply the operation and if they lack the sufficient LDAP privileges we error out (and often giving a bad error message).

More investigation is required into whether or not every operation is actually disallowed or what privileges are required. In the meantime, I've written a patch just to improve our error codes to show that the user got an obvious access denied (and samba-tool can also see the access denied), which it should hit in most cases.