s4:dsdb/rootdse: Netlogon maybe requested with other attrs

MS AD allows netlogon requests to request other attributes,
as long as the search parameter is correct, e.g:
  ldapsearch -h 192.168.122.2 -x -b '' -s base \
    "(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00))" \
    supportedLDAPPolicies netlogon

This also removes an old check that for requests having a
netlogon attribute returned zero elements.
This is not true, if there is a valid netlogon filter.

This patch is to be squashed into
"s4:dsdb/rootdse: Support netlogon request".

1 files changed, 38 insertions, 63 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index baffd1766c..3ec6248302 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -45,6 +45,12 @@ struct private_data {
 	bool block_anonymous;
 };
 
+struct rootdse_context {
+	struct ldb_module *module;
+	struct ldb_request *req;
+	struct ldb_val netlogon;
+};
+
 /*
   return 1 if a specific attribute has been requested
 */
@@ -556,11 +562,6 @@ failed:
   handle search requests
 */
 
-struct rootdse_context {
-	struct ldb_module *module;
-	struct ldb_request *req;
-};
-
 static struct rootdse_context *rootdse_init_context(struct ldb_module *module,
 						    struct ldb_request *req)
 {
@@ -599,16 +600,6 @@ static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares)
 
 	switch (ares->type) {
 	case LDB_REPLY_ENTRY:
-		/*
-		 * if the client explicit asks for the 'netlogon' attribute
-		 * the reply_entry needs to be skipped
-		 */
-		if (ac->req->op.search.attrs &&
-		    ldb_attr_in_list(ac->req->op.search.attrs, "netlogon")) {
-			talloc_free(ares);
-			return LDB_SUCCESS;
-		}
-
 		/* for each record returned post-process to add any dynamic
 		   attributes that have been asked for */
 		ret = rootdse_add_dynamic(ac, ares->message,
@@ -618,6 +609,17 @@ static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares)
 			return ldb_module_done(ac->req, NULL, NULL, ret);
 		}
 
+		/* This should of cause be in rootdse_add_dynamic,
+		 * but therefore we need ac there. */
+		if (ac->netlogon.length > 0) {
+			ret = ldb_msg_add_value(ares->message, "netlogon",
+						&ac->netlogon, NULL);
+			if (ret != LDB_SUCCESS) {
+				return ret;
+			}
+		}
+
+
 		return ldb_module_send_entry(ac->req, ares->message, ares->controls);
 
 	case LDB_REPLY_REFERRAL:
@@ -760,9 +762,7 @@ static int rootdse_handle_netlogon(struct rootdse_context *ac)
 	int version = -1;
 	NTSTATUS status;
 	struct netlogon_samlogon_response netlogon;
-	struct ldb_message *msg = NULL;
-	int ret, error = LDB_ERR_OPERATIONS_ERROR;
-	struct ldb_val blob;
+	int ret = LDB_SUCCESS;
 
 	ldb = ldb_module_get_ctx(ac->module);
 	tree = ac->req->op.search.tree;
@@ -774,9 +774,12 @@ static int rootdse_handle_netlogon(struct rootdse_context *ac)
 
 	status = parse_netlogon_request(tree, lp_ctx, tmp_ctx,
 					&domain, &host, &user, &domain_guid,
-					&domain_sid, &acct_control, &version);
+					&domain_sid, &acct_control, &version,
+					true);
 	if (!NT_STATUS_IS_OK(status)) {
-		goto failed;
+		/* We have to return an empty search if the filter
+		 * does not match, no an error. */
+		goto done;
 	}
 
 	status = fill_netlogon_samlogon_response(ldb, tmp_ctx,
@@ -787,50 +790,19 @@ static int rootdse_handle_netlogon(struct rootdse_context *ac)
 						 version, lp_ctx,
 						 &netlogon, false);
 	if (!NT_STATUS_IS_OK(status)) {
-		goto failed;
+		ret = LDB_ERR_OPERATIONS_ERROR;
+		goto done;
 	}
 
-	status = push_netlogon_samlogon_response(&blob, tmp_ctx, &netlogon);
+	status = push_netlogon_samlogon_response(&ac->netlogon, ac, &netlogon);
 	if (!NT_STATUS_IS_OK(status)) {
-		goto failed;
-	}
-
-	msg = ldb_msg_new(tmp_ctx);
-	if (!msg) {
-		error = ldb_oom(ldb);
-		goto failed;
-	}
-
-	msg->dn = ldb_dn_new(msg, ldb, "");
-	if (!msg->dn) {
-		error = ldb_oom(ldb);
-		goto failed;
-	}
-
-	ret = ldb_msg_add_value(msg, "netlogon", &blob, NULL);
-	if (ret != LDB_SUCCESS) {
-		error = ret;
-		goto failed;
-	}
-
-	ret = ldb_module_send_entry(ac->req, msg, NULL);
-	if (ret != LDB_SUCCESS) {
-		error = ret;
-		goto failed;
-	}
-
-	ret = ldb_module_done(ac->req, NULL, NULL, LDB_SUCCESS);
-	if (ret != LDB_SUCCESS) {
-		error = ret;
-		goto failed;
+		ret = LDB_ERR_OPERATIONS_ERROR;
+		goto done;
 	}
 
+done:
 	talloc_free(tmp_ctx);
-	return LDB_SUCCESS;
-
-failed:
-	talloc_free(tmp_ctx);
-	return ldb_module_done(ac->req, NULL, NULL, error);
+	return ret;
 }
 
 static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
@@ -863,11 +835,14 @@ static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
 		return ldb_operr(ldb);
 	}
 
-	if (req->op.search.attrs &&
-	    req->op.search.attrs[0] &&
-	    req->op.search.attrs[1] == NULL &&
-	    ldb_attr_cmp(req->op.search.attrs[0], "netlogon") == 0) {
-		return rootdse_handle_netlogon(ac);
+	if (do_attribute_explicit(req->op.search.attrs, "netlogon")) {
+		ret = rootdse_handle_netlogon(ac);
+		/* Finish with an empty reply here, either if:
+		 *  - An error was returned, or
+		 *  - No valid netlogon generated (i.e filter didn't match). */
+		if (ret != LDB_SUCCESS || ac->netlogon.length == 0) {
+			return ldb_module_done(ac->req, NULL, NULL, ret);
+		}
 	}
 
 	/* in our db we store the rootDSE with a DN of @ROOTDSE */