s4:rpc_server/netlogon: adjust the valid_flags based on dsdb_dc_functional_level()

This allows us to let DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED through
based on the manual changed msDS-Behavior-Version of our NTDSA object.

We still need to have tests depending on the msDS-Behavior-Version
value if the DSGETDC_VALID_FLAGS is really correct at all.
But for now this allows us to test krb5 FAST from Windows clients.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Fri Dec 24 03:03:50 UTC 2021 on sn-devel-184

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 632dfeee6133bcd0cd4042f9cb9b35ecf242b572..269bea7c6fc4facef6c64b096cdfa6169e79cfeb 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -3037,6 +3037,8 @@ static WERROR dcesrv_netr_DsRGetDCName_base_call(struct dcesrv_netr_DsRGetDCName
        const char *domain_name = NULL;
        const char *pdc_ip;
        bool different_domain = true;
+       uint32_t valid_flags;
+       int dc_level;
 
        ZERO_STRUCTP(r->out.info);
 
@@ -3100,14 +3102,21 @@ static WERROR dcesrv_netr_DsRGetDCName_base_call(struct dcesrv_netr_DsRGetDCName
         * ...
         */
 
-       if (r->in.flags & ~(DSGETDC_VALID_FLAGS)) {
+       dc_level = dsdb_dc_functional_level(sam_ctx);
+       valid_flags = DSGETDC_VALID_FLAGS;
+       if (dc_level >= DS_DOMAIN_FUNCTION_2012) {
+               valid_flags |= DS_DIRECTORY_SERVICE_8_REQUIRED;
+       }
+       if (dc_level >= DS_DOMAIN_FUNCTION_2012_R2) {
+               valid_flags |= DS_DIRECTORY_SERVICE_9_REQUIRED;
+       }
+       if (dc_level >= DS_DOMAIN_FUNCTION_2016) {
+               valid_flags |= DS_DIRECTORY_SERVICE_10_REQUIRED;
+       }
+       if (r->in.flags & ~valid_flags) {
                /*
                 * TODO: add tests to prove this (maybe based on the
                 * msDS-Behavior-Version levels of dc, domain and/or forest
-                *
-                * Note that we currently reject
-                * DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED
-                * at this stage.
                 */
                return WERR_INVALID_FLAGS;
        }