From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 4 Jul 2023 16:07:51 +0000 (+0200)
Subject: s3:libads: let get_kdc_ip_string() check for a blacklisted server name
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=63051a2dcbe3a4a07f029e0c18aa90bd3f56b0a4;p=thirdparty%2Fsamba.git

s3:libads: let get_kdc_ip_string() check for a blacklisted server name

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 145bc36cdb2..c1f3f3ce356 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1235,10 +1235,32 @@ static char *get_kdc_ip_string(char *mem_ctx,
 	}
 
 	for (i=0; i<num_dcs; i++) {
+		struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL;
+		char addr[INET6_ADDRSTRLEN];
+
 		if (responses[i] == NULL) {
 			continue;
 		}
 
+		if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) {
+			continue;
+		}
+
+		print_sockaddr(addr, sizeof(addr), &dc_addrs[i]);
+
+		cldap_reply = &responses[i]->data.nt5_ex;
+
+		if (cldap_reply->pdc_dns_name != NULL) {
+			status = check_negative_conn_cache(
+				realm,
+				cldap_reply->pdc_dns_name);
+			if (!NT_STATUS_IS_OK(status)) {
+				/* propagate blacklisting from name to ip */
+				add_failed_connection_entry(realm, addr, status);
+				continue;
+			}
+		}
+
 		/* Append to the string - inefficient but not done often. */
 		talloc_asprintf_addbuf(&kdc_str,
 				       "\t\tkdc = %s\n",