From: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Date: Tue, 29 Jul 2025 03:59:09 +0000 (+1200)
Subject: s4:dsdb: Allow an SPN value to match the original dNSHostName with Validated Write
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f9f2c9efccdfc092869643ceffc2bb050858eb6;p=thirdparty%2Fsamba.git

s4:dsdb: Allow an SPN value to match the original dNSHostName with Validated Write

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/selftest/knownfail.d/modify_spn_matching_original_dns_host_name b/selftest/knownfail.d/modify_spn_matching_original_dns_host_name
deleted file mode 100644
index 2f90b37479b..00000000000
--- a/selftest/knownfail.d/modify_spn_matching_original_dns_host_name
+++ /dev/null
@@ -1 +0,0 @@
-^samba4\.ldap\.acl\.python\(.*\)\.__main__\.AclModifyTests\.test_modify_spn_matching_dns_host_name_original\(.*\)$
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index d0b1216bcc1..93e580cdd02 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -452,6 +452,7 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
 				  const struct ldb_val *spn_value,
 				  uint32_t userAccountControl,
 				  const struct ldb_val *samAccountName,
+				  const struct ldb_val *original_dnsHostName,
 				  const struct ldb_val *dnsHostName,
 				  const char *netbios_name,
 				  const char *ntds_guid)
@@ -582,6 +583,14 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
 	{
 		goto success;
 	}
+	if ((original_dnsHostName != NULL) &&
+	    strlen(instanceName) == original_dnsHostName->length &&
+	    (strncasecmp(instanceName,
+			 (const char *)original_dnsHostName->data,
+			 original_dnsHostName->length) == 0))
+	{
+		goto success;
+	}
 	if (is_dc) {
 		const char *guid_str = NULL;
 		guid_str = talloc_asprintf(mem_ctx,"%s._msdcs.%s",
@@ -637,6 +646,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
 	struct ldb_dn *partitions_dn = samdb_partitions_dn(ldb, tmp_ctx);
 	uint32_t userAccountControl;
 	const char *netbios_name;
+	const struct ldb_val *original_dns_host_name_val = NULL;
 	const struct ldb_val *dns_host_name_val = NULL;
 	const struct ldb_val *sam_account_name_val = NULL;
 	struct GUID ntds;
@@ -739,12 +749,13 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
 	}
 
 	if (req->operation == LDB_MODIFY) {
-		dns_host_name_val = ldb_msg_find_ldb_val(search_res, "dNSHostName");
+		original_dns_host_name_val = ldb_msg_find_ldb_val(
+			search_res, "dNSHostName");
 	}
 
 	ret = dsdb_msg_get_single_value(msg,
 					"dNSHostName",
-					dns_host_name_val,
+					original_dns_host_name_val,
 					&dns_host_name_val,
 					req->operation);
 	if (ret != LDB_SUCCESS) {
@@ -809,6 +820,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
 					     &el->values[i],
 					     userAccountControl,
 					     sam_account_name_val,
+					     original_dns_host_name_val,
 					     dns_host_name_val,
 					     netbios_name,
 					     ntds_guid);