From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 13 Dec 2024 15:11:34 +0000 (+0100)
Subject: s4:rpc_server/netlogon: fix error codes for netr_NetrLogonSendToSam() with SEC_CHAN_RODC
X-Git-Tag: tdb-1.4.13~202
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=978a66f2bd5c7c7a3925a109fc10706fcd869c88;p=thirdparty%2Fsamba.git

s4:rpc_server/netlogon: fix error codes for netr_NetrLogonSendToSam() with SEC_CHAN_RODC

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
---

diff --git a/selftest/knownfail.d/samba.tests.krb5.netlogon b/selftest/knownfail.d/samba.tests.krb5.netlogon
index f7cea4d5550..dc2304c1162 100644
--- a/selftest/knownfail.d/samba.tests.krb5.netlogon
+++ b/selftest/knownfail.d/samba.tests.krb5.netlogon
@@ -1,11 +1,2 @@
 # This is not implemented yet
 ^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_ticket_samlogon
-# The RODC handling is wrong
-^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_auth3_01000000
-^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_auth3_613fffff
-^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_auth3_e13fffff
-^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_authK_00000000
-^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_authK_00004000
-^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_authK_603fbffb
-^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_authK_80000000
-^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_authK_e13fffff
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index ccf303cff9a..848a01aad4a 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -3389,6 +3389,9 @@ static NTSTATUS dcesrv_netr_NetrLogonSendToSam(struct dcesrv_call_state *dce_cal
 					   &dn);
 		if (ret != LDB_SUCCESS) {
 			ldb_transaction_cancel(sam_ctx);
+			if (creds->secure_channel_type == SEC_CHAN_RODC) {
+				return NT_STATUS_INTERNAL_ERROR;
+			}
 			return NT_STATUS_OBJECT_NAME_NOT_FOUND;
 		}
 
@@ -3398,7 +3401,7 @@ static NTSTATUS dcesrv_netr_NetrLogonSendToSam(struct dcesrv_call_state *dce_cal
 				  "an arbitrary user: %s\n",
 				  ldb_dn_get_linearized(dn)));
 			ldb_transaction_cancel(sam_ctx);
-			return NT_STATUS_INVALID_PARAMETER;
+			return NT_STATUS_ACCESS_DENIED;
 		}
 
 		msg->dn = dn;