From: Andrew Bartlett Date: Tue, 27 Jun 2023 02:39:18 +0000 (+1200) Subject: s4-rpc_server/drsuapi: Avoid modification to ncRoot input variable in GetNCChanges X-Git-Tag: samba-4.17.11~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c63aa69594c41f302acfb85dba332b45388869f;p=thirdparty%2Fsamba.git s4-rpc_server/drsuapi: Avoid modification to ncRoot input variable in GetNCChanges This tries to avoid it appearing that ncRoot is a value that can be trusted and used internally by not updating it and instead leaving it just as an input/echo-back value. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 548f141f11e89d335d8f9d74ab6925fa6b90fb84) --- diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index 92fa7ba7575..c3806f9e6de 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -3185,7 +3185,6 @@ allowed: getnc_state->ncRoot_guid = samdb_result_guid(res->msgs[0], "objectGUID"); - ncRoot->guid = getnc_state->ncRoot_guid; /* find out if we are to replicate Schema NC */ ret = ldb_dn_compare_base(ldb_get_schema_basedn(sam_ctx), @@ -3195,8 +3194,6 @@ allowed: TALLOC_FREE(res); } - ncRoot->guid = getnc_state->ncRoot_guid; - /* we need the session key for encrypting password attributes */ status = dcesrv_auth_session_key(dce_call, &session_key); if (!NT_STATUS_IS_OK(status)) { @@ -3378,11 +3375,19 @@ allowed: if (r->out.ctr->ctr6.naming_context == NULL) { return WERR_NOT_ENOUGH_MEMORY; } + + /* + * Match Windows and echo back the original values from the request, even if + * they say DummyDN for the string NC + */ *r->out.ctr->ctr6.naming_context = *ncRoot; /* find the SID if there is one */ dsdb_find_sid_by_dn(sam_ctx, getnc_state->ncRoot_dn, &r->out.ctr->ctr6.naming_context->sid); + /* Set GUID */ + r->out.ctr->ctr6.naming_context->guid = getnc_state->ncRoot_guid; + dsdb_get_oid_mappings_drsuapi(schema, true, mem_ctx, &ctr); r->out.ctr->ctr6.mapping_ctr = *ctr;