From 213af0ed20bdd97157c8a08e6959d76c5f9d27aa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Feb 2022 13:09:14 +0100
Subject: [PATCH] s3:libads: let cldap_ping_list() check for a blacklisted
 server name

If we black listed a server we should not use it even if
it responses to CLDAP requests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981

Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 08c8760ad9706b62755e35acaa121647344a4c9e)
---
 source3/libads/ldap.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 016402d5ca6..82d47341221 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -533,6 +533,30 @@ again:
 
 		cldap_reply = &responses[i]->data.nt5_ex;
 
+		if (cldap_reply->pdc_dns_name != NULL) {
+			status = check_negative_conn_cache(
+				domain,
+				cldap_reply->pdc_dns_name);
+			if (!NT_STATUS_IS_OK(status)) {
+				/*
+				 * only use the server if it's not black listed
+				 * by name
+				 */
+				DBG_NOTICE("realm=[%s] server=[%s][%s] "
+					   "black listed: %s\n",
+					   ads->server.realm,
+					   server,
+					   cldap_reply->pdc_dns_name,
+					   nt_errstr(status));
+				/* propagate blacklisting from name to ip */
+				add_failed_connection_entry(domain,
+							    server,
+							    status);
+				retry = true;
+				continue;
+			}
+		}
+
 		/* Returns ok only if it matches the correct server type */
 		ok = ads_fill_cldap_reply(ads,
 					  false,
-- 
2.47.2