s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored

If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun  6 03:18:16 UTC 2024 on atb-devel-224

(cherry picked from commit ed61c57e02309b738e73fb12877a0a565b627724)

diff --git a/selftest/knownfail.d/dns_tkey b/selftest/knownfail.d/dns_tkey
deleted file mode 100644 (file)
index a88b7cf..0000000
--- a/selftest/knownfail.d/dns_tkey
+++ /dev/null
@@ -1,3 +0,0 @@
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_windows.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_wo_tsig.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_record_access_denied.fl2008r2dc

diff --git a/source4/dns_server/dns_update.c b/source4/dns_server/dns_update.c
index 3cc26952353a0b6a1f79b7c8b97d6728a83af810..dc13a24609b5bb517f52ef1992d3c711826911bd 100644 (file)
--- a/source4/dns_server/dns_update.c
+++ b/source4/dns_server/dns_update.c
@@ -570,6 +570,8 @@ static WERROR handle_one_update(struct dns_server *dns,
                W_ERROR_NOT_OK_RETURN(werror);
 
                for (i = first; i < rcount; i++) {
+                       struct dnsp_DnssrvRpcRecord orig_rec = recs[i];
+
                        if (!dns_record_match(&recs[i], &recs[rcount])) {
                                continue;
                        }
@@ -583,6 +585,15 @@ static WERROR handle_one_update(struct dns_server *dns,
                        werror = dns_replace_records(dns, mem_ctx, dn,
                                                     needs_add, recs, rcount);
                        DBG_DEBUG("dns_replace_records(REPLACE): %s\n", win_errstr(werror));
+                       if (W_ERROR_EQUAL(werror, WERR_ACCESS_DENIED) &&
+                           !needs_add &&
+                           orig_rec.dwTtlSeconds == recs[i].dwTtlSeconds)
+                       {
+                               DBG_NOTICE("dns_replace_records(REPLACE): %s "
+                                           "=> skip no-op\n",
+                                           win_errstr(werror));
+                               werror = WERR_OK;
+                       }
                        W_ERROR_NOT_OK_RETURN(werror);
 
                        return WERR_OK;