[Freeipa-devel] [PATCH 125] CLDAP: do not prepend \\

Alexander Bokovoy abokovoy at redhat.com
Tue Jan 14 13:09:58 UTC 2014 

On Mon, 13 Jan 2014, Sumit Bose wrote:
>Hi,
>
>Scott found that the fix for
>https://fedorahosted.org/freeipa/ticket/4028 is not complete. After some
>checks and comparisons with samba and AD behaviour I came to the
>conclusion that the two \\ at the beginning of the NetBIOS name of the
>IPA server is not needed in the response of NETLOGON_NT_VERSION_5EX
>requests which is the only type we handle so far.
>
>In general AD seems to be smart enough the handle the \\ even in those
>responses but if the NetBIOS name has 15 characters the response is not
>accepted anymore.
>
>Please check if you can see any regressions with this change.
>
>During testing I came across two things related to samba.
>While looking at network trace Scott recorded it looked like Samba does
>not cut a long hostname for the NetBIOS name. This might be in agreement
>to what Metze recently posted in his master4-schannel-ok branch for
>netlogon_creds_cli_context_global(). As usual Metze is smarter than us
>and tried to minimize the chance for name collisions with the help of
>Jenkins hash. I just wonder why he treats the NetBIOS name only here
>this way and not generally? With respect to IPA we might want to
>consider to set 'netbios name' in the samba config explicitly to avoid
>disconnects?
Yes, we may do that in ipa-adtrust-install.


>While testing against AD with other request types I've seen that in some
>cases the NetBIOS name was returned with the two additional \ in the
>beginning, even if the AD NetBIOS name already had 15 characters.
>Strange the name was even encoded in UCS-2 in this case. Unfortunately I
>was not able to find good documentation on the specifics of those
>packages. If you know some good docs please send me the link otherwise
>we might what to ask MSFT for clarification.
According to MS-ADTS, NetbiosComputerName field is
---------------------------------------------------------------------
UTF-8 encoded value of the NetBIOS name of the server, compressed as
specified in [RFC1035] section 4.1.4. To get the decompressed string,
see section 6.3.7.
---------------------------------------------------------------------

According to MS-NBTE (2.2.1),
----------------------------------------------------------------------
This document clarifies the ambiguity by specifying that the name space
is defined as sixteen 8-bit binary bytes, with no restrictions, except
that the name SHOULD NOT<2><3> start with an asterisk (*).
----------------------------------------------------------------------

Cases when \\ and UCS-2 encoding are used seem to be remnants of the
older implementations. I think they should be ignored at best.

>From 0b782064945352ad488e92b457bbfda2270ddf66 Mon Sep 17 00:00:00 2001
>From: Sumit Bose <sbose at redhat.com>
>Date: Mon, 13 Jan 2014 10:43:33 +0100
>Subject: [PATCH] CLDAP: do not prepend \\
>
>For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in
>the PDC NetBIOS name. In general AD seems to be smart enough to handle
>the two \ signs. But if the NetBIOS name reaches the maximum of 15
>character AD does not accept the responses anymore.
>
>Fixes https://fedorahosted.org/freeipa/ticket/4028
>---
> daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
>index 9ba05829418a0d1de46f2c7776cc15c54a9eab1c..c03172d474589ddee84f1cfa5395c23fdba83bcb 100644
>--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
>+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
>@@ -163,7 +163,7 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
>     nlr->domain_name = name;
>
>     /* copy the first 15 characters of the fully qualified hostname*/
>-    pdc_name = talloc_asprintf(nlr, "\\\\%.*s", NETBIOS_NAME_MAX, fq_hostname);
>+    pdc_name = talloc_asprintf(nlr, "%.*s", NETBIOS_NAME_MAX, fq_hostname);
>
>     for (p = pdc_name; *p; p++) {
>         /* Create the NetBIOS name from the first segment of the hostname */
ACK.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list