From 0b67ee6c9c54e4232821ebba9c3a408148fcce8c Mon Sep 17 00:00:00 2001
From: Zac Bergquist <zac.bergquist@goteleport.com>
Date: Mon, 21 Oct 2024 17:18:10 -0600
Subject: [PATCH] Filter Linux hosts out from desktop LDAP discovery results
 (#47773)

Domain joined Linux hosts (including those used for Teleport's
db_service with MS SQL) won't support RDP, so prevent them from
being discovered and registered with Teleport.

Closes #14116
---
 lib/srv/desktop/discovery.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/srv/desktop/discovery.go b/lib/srv/desktop/discovery.go
index 104cc9ba98808..7c9d8a76a0e58 100644
--- a/lib/srv/desktop/discovery.go
+++ b/lib/srv/desktop/discovery.go
@@ -262,6 +262,10 @@ func (s *WindowsService) ldapEntryToWindowsDesktop(ctx context.Context, entry *l
 	labels[types.DiscoveryLabelWindowsDomain] = s.cfg.Domain
 	s.applyLabelsFromLDAP(entry, labels)
 
+	if os, ok := labels[types.DiscoveryLabelWindowsOS]; ok && strings.Contains(os, "linux") {
+		return nil, trace.BadParameter("LDAP entry looks like a Linux host")
+	}
+
 	addrs, err := s.lookupDesktop(ctx, hostname)
 	if err != nil || len(addrs) == 0 {
 		return nil, trace.WrapWithMessage(err, "couldn't resolve %q", hostname)