s3:libads: let get_kdc_ip_string() check for a blacklisted server name

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 63051a2dcbe3a4a07f029e0c18aa90bd3f56b0a4)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 72ce5b7bb348d78b83681a7f0eed6e0c8caeb3bf..106e773f1b6976867ecc47611cb81b37abc45a33 100644 (file)
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -580,11 +580,32 @@ static char *get_kdc_ip_string(char *mem_ctx,
 
        for (i=0; i<num_dcs; i++) {
                char *new_kdc_str;
+               struct NETLOGON_SAM_LOGON_RESPONSE_EX *cldap_reply = NULL;
+               char addr[INET6_ADDRSTRLEN];
 
                if (responses[i] == NULL) {
                        continue;
                }
 
+               if (responses[i]->ntver != NETLOGON_NT_VERSION_5EX) {
+                       continue;
+               }
+
+               print_sockaddr(addr, sizeof(addr), &dc_addrs[i]);
+
+               cldap_reply = &responses[i]->data.nt5_ex;
+
+               if (cldap_reply->pdc_dns_name != NULL) {
+                       status = check_negative_conn_cache(
+                               realm,
+                               cldap_reply->pdc_dns_name);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               /* propagate blacklisting from name to ip */
+                               add_failed_connection_entry(realm, addr, status);
+                               continue;
+                       }
+               }
+
                /* Append to the string - inefficient but not done often. */
                new_kdc_str = talloc_asprintf_append(
                                kdc_str,