ads_connect: Return immediately on a failed GC connection.

ads_connect_gc() feeds an explicit server to ads_connect().  However, if the
resulting connection fails, the latter function was attempting to find a DC
on its own and continuing the connection.  This resulting in GC searches being
sent over a connection using port 389 which would fail when using the base
search suffix outside of the domain naming context.

The fix is to fail immediately in ads_connect() since the GC lookup ordering
is handled already in ads_connect_gc().

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index a598580941b5d22590cc15f3b485015e9adc6b37..f6da54f35ba74bd16faef61be092db73b9ec0fc5 100644 (file)
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -581,9 +581,20 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
                TALLOC_FREE(s);
        }
 
-       if (ads->server.ldap_server &&
-           ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
-               goto got_connection;
+       if (ads->server.ldap_server)
+       {
+               if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
+                       goto got_connection;
+               }
+
+               /* The choice of which GC use is handled one level up in
+                  ads_connect_gc().  If we continue on from here with
+                  ads_find_dc() we will get GC searches on port 389 which
+                  doesn't work.   --jerry */
+
+               if (ads->server.gc == true) {
+                       return ADS_ERROR(LDAP_OPERATIONS_ERROR);
+               }
        }
 
        ntstatus = ads_find_dc(ads);