diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2015-01-15 13:11:01 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2015-01-19 12:05:52 +0100 |
commit | 5672eb14def7b2010f1d08825eec58ff1444073f (patch) | |
tree | 974fdf09b0b4d578637760da9e7965016df0397f /daemons | |
parent | d57efb74bb6ad91b029fffff39ed4e482c41f8ba (diff) | |
download | freeipa-5672eb14def7b2010f1d08825eec58ff1444073f.tar.gz freeipa-5672eb14def7b2010f1d08825eec58ff1444073f.tar.xz freeipa-5672eb14def7b2010f1d08825eec58ff1444073f.zip |
ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly
According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP Ping",
if NETLOGON_NT_VERSION_5EX_WITH_IP is requested in NtVer, we should fill the
socket address of the server and set the NtVer of the response accordingly.
The behavior is a bit unclear from 6.3.3.2 but Samba expects LDAP ping to behave
the same way as a mailslot ping, described in 6.3.5, where socket address of the
server is included only if _WITH_IP variant was requested in NtVer. If NtVer
only contains NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket
address should not be filled in.
Additionally, this means we should use special variant of
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX helper named
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags to properly handle optional
existence of the socket address in the response.
https://fedorahosted.org/freeipa/ticket/4827
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'daemons')
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c index 1d16de7be..5863f667e 100644 --- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c +++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c @@ -154,7 +154,7 @@ char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s) } #define NETLOGON_SAM_LOGON_RESPONSE_EX_pusher \ - (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX + (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, char *guid, char *sid, char *name, @@ -170,7 +170,7 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, return ENOMEM; } - if (!(ntver & NETLOGON_NT_VERSION_5EX)) { + if (!(ntver & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP))) { ret = EINVAL; goto done; } @@ -197,12 +197,17 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, nlr->server_site = "Default-First-Site-Name"; nlr->client_site = "Default-First-Site-Name"; /* nlr->sockaddr_size (filled in by ndr_push) */ - nlr->sockaddr.sockaddr_family = 2; - nlr->sockaddr.pdc_ip = "127.0.0.1"; - nlr->sockaddr.remaining.length = 8; - nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8); - /* nlr->next_closest_site */ + nlr->nt_version = NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_1; + if (ntver & NETLOGON_NT_VERSION_5EX_WITH_IP) { + nlr->nt_version |= NETLOGON_NT_VERSION_5EX_WITH_IP; + nlr->sockaddr.sockaddr_family = 2; + nlr->sockaddr.pdc_ip = "127.0.0.1"; + nlr->sockaddr.remaining.length = 8; + nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8); + } + + /* nlr->next_closest_site */ nlr->lmnt_token = 0xFFFF; nlr->lm20_token = 0xFFFF; |