s3:libads: let get_kdc_ip_string() check for a blacklisted server name

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 145bc36cdb2a2aa3f5db82433b50cf23550b0857..c1f3f3ce35674824de7a2c173e88855e5f8b635c 100644 (file)
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1235,10 +1235,32 @@ static char *get_kdc_ip_string(char *mem_ctx,
        }
 
        for (i=0; i<num_dcs; i++) {
+               struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL;
+               char addr[INET6_ADDRSTRLEN];
+
                if (responses[i] == NULL) {
                        continue;
                }
 
+               if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) {
+                       continue;
+               }
+
+               print_sockaddr(addr, sizeof(addr), &dc_addrs[i]);
+
+               cldap_reply = &responses[i]->data.nt5_ex;
+
+               if (cldap_reply->pdc_dns_name != NULL) {
+                       status = check_negative_conn_cache(
+                               realm,
+                               cldap_reply->pdc_dns_name);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               /* propagate blacklisting from name to ip */
+                               add_failed_connection_entry(realm, addr, status);
+                               continue;
+                       }
+               }
+
                /* Append to the string - inefficient but not done often. */
                talloc_asprintf_addbuf(&kdc_str,
                                       "\t\tkdc = %s\n",