On 01/14/2014 02:09 PM, Alexander Bokovoy wrote: > On Mon, 13 Jan 2014, Sumit Bose wrote: >> Hi, >> >> Scott found that the fix for >> https://fedorahosted.org/freeipa/ticket/4028 is not complete. After some >> checks and comparisons with samba and AD behaviour I came to the >> conclusion that the two \\ at the beginning of the NetBIOS name of the >> IPA server is not needed in the response of NETLOGON_NT_VERSION_5EX >> requests which is the only type we handle so far. >> >> In general AD seems to be smart enough the handle the \\ even in those >> responses but if the NetBIOS name has 15 characters the response is not >> accepted anymore. >> >> Please check if you can see any regressions with this change. >> >> During testing I came across two things related to samba. >> While looking at network trace Scott recorded it looked like Samba does >> not cut a long hostname for the NetBIOS name. This might be in agreement >> to what Metze recently posted in his master4-schannel-ok branch for >> netlogon_creds_cli_context_global(). As usual Metze is smarter than us >> and tried to minimize the chance for name collisions with the help of >> Jenkins hash. I just wonder why he treats the NetBIOS name only here >> this way and not generally? With respect to IPA we might want to >> consider to set 'netbios name' in the samba config explicitly to avoid >> disconnects? > Yes, we may do that in ipa-adtrust-install. > > >> While testing against AD with other request types I've seen that in some >> cases the NetBIOS name was returned with the two additional \ in the >> beginning, even if the AD NetBIOS name already had 15 characters. >> Strange the name was even encoded in UCS-2 in this case. Unfortunately I >> was not able to find good documentation on the specifics of those >> packages. If you know some good docs please send me the link otherwise >> we might what to ask MSFT for clarification. > According to MS-ADTS, NetbiosComputerName field is > --------------------------------------------------------------------- > UTF-8 encoded value of the NetBIOS name of the server, compressed as > specified in [RFC1035] section 4.1.4. To get the decompressed string, > see section 6.3.7. > --------------------------------------------------------------------- > > According to MS-NBTE (2.2.1), > ---------------------------------------------------------------------- > This document clarifies the ambiguity by specifying that the name space > is defined as sixteen 8-bit binary bytes, with no restrictions, except > that the name SHOULD NOT<2><3> start with an asterisk (*). > ---------------------------------------------------------------------- > > Cases when \\ and UCS-2 encoding are used seem to be remnants of the > older implementations. I think they should be ignored at best. > >> From 0b782064945352ad488e92b457bbfda2270ddf66 Mon Sep 17 00:00:00 2001 >> From: Sumit Bose <[email protected]> >> Date: Mon, 13 Jan 2014 10:43:33 +0100 >> Subject: [PATCH] CLDAP: do not prepend \\ >> >> For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in >> the PDC NetBIOS name. In general AD seems to be smart enough to handle >> the two \ signs. But if the NetBIOS name reaches the maximum of 15 >> character AD does not accept the responses anymore. >> >> Fixes https://fedorahosted.org/freeipa/ticket/4028 >> --- >> daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c >> b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c >> index >> 9ba05829418a0d1de46f2c7776cc15c54a9eab1c..c03172d474589ddee84f1cfa5395c23fdba83bcb >> 100644 >> --- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c >> +++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c >> @@ -163,7 +163,7 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, >> char *domain, >> nlr->domain_name = name; >> >> /* copy the first 15 characters of the fully qualified hostname*/ >> - pdc_name = talloc_asprintf(nlr, "\\\\%.*s", NETBIOS_NAME_MAX, >> fq_hostname); >> + pdc_name = talloc_asprintf(nlr, "%.*s", NETBIOS_NAME_MAX, fq_hostname); >> >> for (p = pdc_name; *p; p++) { >> /* Create the NetBIOS name from the first segment of the hostname */ > ACK. >
Pushed to master, ipa-3-3. Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
