Hi, attached patch fixes https://fedorahosted.org/freeipa/ticket/4827
It is worth noting that MS-ADTS spec is wrong on this, I'm going to get Microsoft to fix the spec as Windows Server 2012 responds in the same way both on LDAP ping and mailslot ping while documentation insists on them being different. Thanks to Stephan Metzemacher (Samba Team) who noticed we are producing wrong output here. Details are in the patch and in the ticket. -- / Alexander Bokovoy
From bc0a15e26b7a19e772453e6de831822fe9cbb40d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Thu, 15 Jan 2015 13:11:01 +0200 Subject: [PATCH 2/3] ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP Ping", if NETLOGON_NT_VERSION_5EX_WITH_IP is requested in NtVer, we should fill the socket address of the server and set the NtVer of the response accordingly. The behavior is a bit unclear from 6.3.3.2 but Samba expects LDAP ping to behave the same way as a mailslot ping, described in 6.3.5, where socket address of the server is included only if _WITH_IP variant was requested in NtVer. If NtVer only contains NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket address should not be filled in. Additionally, this means we should use special variant of ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX helper named ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags to properly handle optional existence of the socket address in the response. https://fedorahosted.org/freeipa/ticket/4827 --- .../ipa-cldap/ipa_cldap_netlogon.c | 24 ++++++++++++---------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c index 1d16de7..2f5b949 100644 --- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c +++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c @@ -153,9 +153,6 @@ char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s) return nb_name; } -#define NETLOGON_SAM_LOGON_RESPONSE_EX_pusher \ - (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX - static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, char *guid, char *sid, char *name, uint32_t ntver, struct berval *reply) @@ -164,13 +161,14 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, enum ndr_err_code ndr_err; DATA_BLOB blob; int ret; + ndr_push_flags_fn_t pusher = (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags; nlr = talloc_zero(NULL, struct NETLOGON_SAM_LOGON_RESPONSE_EX); if (!nlr) { return ENOMEM; } - if (!(ntver & NETLOGON_NT_VERSION_5EX)) { + if (!(ntver & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP))) { ret = EINVAL; goto done; } @@ -197,17 +195,21 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, nlr->server_site = "Default-First-Site-Name"; nlr->client_site = "Default-First-Site-Name"; /* nlr->sockaddr_size (filled in by ndr_push) */ - nlr->sockaddr.sockaddr_family = 2; - nlr->sockaddr.pdc_ip = "127.0.0.1"; - nlr->sockaddr.remaining.length = 8; - nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8); - /* nlr->next_closest_site */ + nlr->nt_version = NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_1; + if (ntver & NETLOGON_NT_VERSION_5EX_WITH_IP) { + nlr->nt_version |= NETLOGON_NT_VERSION_5EX_WITH_IP; + nlr->sockaddr.sockaddr_family = 2; + nlr->sockaddr.pdc_ip = "127.0.0.1"; + nlr->sockaddr.remaining.length = 8; + nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8); + } + + /* nlr->next_closest_site */ nlr->lmnt_token = 0xFFFF; nlr->lm20_token = 0xFFFF; - ndr_err = ndr_push_struct_blob(&blob, nlr, nlr, - NETLOGON_SAM_LOGON_RESPONSE_EX_pusher); + ndr_err = ndr_push_struct_blob(&blob, nlr, nlr, pusher); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { ret = EFAULT; goto done; -- 2.1.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel