ads_connect: Return immediately on a failed GC connection.

ads_connect_gc() feeds an explicit server to ads_connect().  However, if the
resulting connection fails, the latter function was attempting to find a DC
on its own and continuing the connection.  This resulting in GC searches being
sent over a connection using port 389 which would fail when using the base
search suffix outside of the domain naming context.

The fix is to fail immediately in ads_connect() since the GC lookup ordering
is handled already in ads_connect_gc().

1 files changed, 14 insertions, 3 deletions

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index a598580941..f6da54f35b 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -581,9 +581,20 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
 		TALLOC_FREE(s);
 	}
 
-	if (ads->server.ldap_server &&
-	    ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
-		goto got_connection;
+	if (ads->server.ldap_server)
+	{
+		if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
+			goto got_connection;
+		}
+
+		/* The choice of which GC use is handled one level up in
+		   ads_connect_gc().  If we continue on from here with
+		   ads_find_dc() we will get GC searches on port 389 which
+		   doesn't work.   --jerry */
+
+		if (ads->server.gc == true) {
+			return ADS_ERROR(LDAP_OPERATIONS_ERROR);
+		}
 	}
 
 	ntstatus = ads_find_dc(ads);