[Freeipa-devel] [PATCH] 0173 Fix ipa-cldap plugin to follow Samba Netlogon response
Alexander Bokovoy
abokovoy at redhat.com
Fri Jan 16 08:37:36 UTC 2015
Hi,
attached patch fixes https://fedorahosted.org/freeipa/ticket/4827
It is worth noting that MS-ADTS spec is wrong on this, I'm going to get
Microsoft to fix the spec as Windows Server 2012 responds in the same
way both on LDAP ping and mailslot ping while documentation insists on
them being different.
Thanks to Stephan Metzemacher (Samba Team) who noticed we are producing
wrong output here.
Details are in the patch and in the ticket.
--
/ Alexander Bokovoy
-------------- next part --------------
From bc0a15e26b7a19e772453e6de831822fe9cbb40d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Thu, 15 Jan 2015 13:11:01 +0200
Subject: [PATCH 2/3] ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP
properly
According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP Ping",
if NETLOGON_NT_VERSION_5EX_WITH_IP is requested in NtVer, we should fill the
socket address of the server and set the NtVer of the response accordingly.
The behavior is a bit unclear from 6.3.3.2 but Samba expects LDAP ping to behave
the same way as a mailslot ping, described in 6.3.5, where socket address of the
server is included only if _WITH_IP variant was requested in NtVer. If NtVer
only contains NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket
address should not be filled in.
Additionally, this means we should use special variant of
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX helper named
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags to properly handle optional
existence of the socket address in the response.
https://fedorahosted.org/freeipa/ticket/4827
---
.../ipa-cldap/ipa_cldap_netlogon.c | 24 ++++++++++++----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
index 1d16de7..2f5b949 100644
--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
@@ -153,9 +153,6 @@ char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s)
return nb_name;
}
-#define NETLOGON_SAM_LOGON_RESPONSE_EX_pusher \
- (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX
-
static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
char *guid, char *sid, char *name,
uint32_t ntver, struct berval *reply)
@@ -164,13 +161,14 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
enum ndr_err_code ndr_err;
DATA_BLOB blob;
int ret;
+ ndr_push_flags_fn_t pusher = (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags;
nlr = talloc_zero(NULL, struct NETLOGON_SAM_LOGON_RESPONSE_EX);
if (!nlr) {
return ENOMEM;
}
- if (!(ntver & NETLOGON_NT_VERSION_5EX)) {
+ if (!(ntver & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP))) {
ret = EINVAL;
goto done;
}
@@ -197,17 +195,21 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
nlr->server_site = "Default-First-Site-Name";
nlr->client_site = "Default-First-Site-Name";
/* nlr->sockaddr_size (filled in by ndr_push) */
- nlr->sockaddr.sockaddr_family = 2;
- nlr->sockaddr.pdc_ip = "127.0.0.1";
- nlr->sockaddr.remaining.length = 8;
- nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8);
- /* nlr->next_closest_site */
+
nlr->nt_version = NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_1;
+ if (ntver & NETLOGON_NT_VERSION_5EX_WITH_IP) {
+ nlr->nt_version |= NETLOGON_NT_VERSION_5EX_WITH_IP;
+ nlr->sockaddr.sockaddr_family = 2;
+ nlr->sockaddr.pdc_ip = "127.0.0.1";
+ nlr->sockaddr.remaining.length = 8;
+ nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8);
+ }
+
+ /* nlr->next_closest_site */
nlr->lmnt_token = 0xFFFF;
nlr->lm20_token = 0xFFFF;
- ndr_err = ndr_push_struct_blob(&blob, nlr, nlr,
- NETLOGON_SAM_LOGON_RESPONSE_EX_pusher);
+ ndr_err = ndr_push_struct_blob(&blob, nlr, nlr, pusher);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
ret = EFAULT;
goto done;
--
2.1.0
More information about the Freeipa-devel
mailing list