IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP properly

Browse Source 
According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP Ping",
if NETLOGON_NT_VERSION_5EX_WITH_IP is requested in NtVer, we should fill the
socket address of the server and set the NtVer of the response accordingly.

The behavior is a bit unclear from 6.3.3.2 but Samba expects LDAP ping to behave
the same way as a mailslot ping, described in 6.3.5, where socket address of the
server is included only if _WITH_IP variant was requested in NtVer.  If NtVer
only contains NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket
address should not be filled in.

Additionally, this means we should use special variant of
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX helper named
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags to properly handle optional
existence of the socket address in the response.

https://fedorahosted.org/freeipa/ticket/4827

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This commit is contained in:
Alexander Bokovoy 2015-01-15 13:11:01 +02:00 committed by Martin Kosek
parent ecd6896664
commit 426759f47f
1 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
View File

@ -154,7 +154,7 @@ char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s)
}
#define NETLOGON_SAM_LOGON_RESPONSE_EX_pusher \
(ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX
(ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags
static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
char *guid, char *sid, char *name,
@ -170,7 +170,7 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
return ENOMEM;
}
if (!(ntver & NETLOGON_NT_VERSION_5EX)) {
if (!(ntver & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP))) {
ret = EINVAL;
goto done;
}
@ -197,12 +197,17 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
nlr->server_site = "Default-First-Site-Name";
nlr->client_site = "Default-First-Site-Name";
/* nlr->sockaddr_size (filled in by ndr_push) */
nlr->sockaddr.sockaddr_family = 2;
nlr->sockaddr.pdc_ip = "127.0.0.1";
nlr->sockaddr.remaining.length = 8;
nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8);
/* nlr->next_closest_site */
nlr->nt_version = NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_1;
if (ntver & NETLOGON_NT_VERSION_5EX_WITH_IP) {
nlr->nt_version |= NETLOGON_NT_VERSION_5EX_WITH_IP;
nlr->sockaddr.sockaddr_family = 2;
nlr->sockaddr.pdc_ip = "127.0.0.1";
nlr->sockaddr.remaining.length = 8;
nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8);
}
/* nlr->next_closest_site */
nlr->lmnt_token = 0xFFFF;
nlr->lm20_token = 0xFFFF;