From 5672eb14def7b2010f1d08825eec58ff1444073f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Thu, 15 Jan 2015 13:11:01 +0200 Subject: ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP Ping", if NETLOGON_NT_VERSION_5EX_WITH_IP is requested in NtVer, we should fill the socket address of the server and set the NtVer of the response accordingly. The behavior is a bit unclear from 6.3.3.2 but Samba expects LDAP ping to behave the same way as a mailslot ping, described in 6.3.5, where socket address of the server is included only if _WITH_IP variant was requested in NtVer. If NtVer only contains NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket address should not be filled in. Additionally, this means we should use special variant of ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX helper named ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags to properly handle optional existence of the socket address in the response. https://fedorahosted.org/freeipa/ticket/4827 Reviewed-By: Sumit Bose Reviewed-By: Simo Sorce --- .../ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'daemons') diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c index 1d16de7be..5863f667e 100644 --- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c +++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c @@ -154,7 +154,7 @@ char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s) } #define NETLOGON_SAM_LOGON_RESPONSE_EX_pusher \ - (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX + (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, char *guid, char *sid, char *name, @@ -170,7 +170,7 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, return ENOMEM; } - if (!(ntver & NETLOGON_NT_VERSION_5EX)) { + if (!(ntver & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP))) { ret = EINVAL; goto done; } @@ -197,12 +197,17 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, nlr->server_site = "Default-First-Site-Name"; nlr->client_site = "Default-First-Site-Name"; /* nlr->sockaddr_size (filled in by ndr_push) */ - nlr->sockaddr.sockaddr_family = 2; - nlr->sockaddr.pdc_ip = "127.0.0.1"; - nlr->sockaddr.remaining.length = 8; - nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8); - /* nlr->next_closest_site */ + nlr->nt_version = NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_1; + if (ntver & NETLOGON_NT_VERSION_5EX_WITH_IP) { + nlr->nt_version |= NETLOGON_NT_VERSION_5EX_WITH_IP; + nlr->sockaddr.sockaddr_family = 2; + nlr->sockaddr.pdc_ip = "127.0.0.1"; + nlr->sockaddr.remaining.length = 8; + nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8); + } + + /* nlr->next_closest_site */ nlr->lmnt_token = 0xFFFF; nlr->lm20_token = 0xFFFF; -- cgit