Let winbindd work against a FreeIPA server
Alexander Bokovoy
ab at samba.org
Thu Jan 15 04:33:03 MST 2015
On Mon, Jan 5, 2015 at 5:49 PM, Stefan (metze) Metzmacher
<metze at samba.org> wrote:
> Hi,
>
> here're patches to improve the behavior of winbindd when contacting
> domain controllers of trusted ad domains.
>
> We should use the same code path as we use with "security = ads"
> for our primary domain, which means using DNS=>CLDAP with a fallback
> to netbios name and dc lookup.
>
> This is important when talking to FreeIPA DCs, they only provide
> DNS and CLDAP.
>
> The first patch makes sure we can parse the broken netlogon attribute
> generated by FreeIPA. Someone should try to fix the FreeIPA server
> server to use ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags()
> instead of ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX().
>
> Please review and push...
I've started looking into FreeIPA part of it and I think Samba is
actually wrong here on CLDAP level.
According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP
Ping", we should fill the socket address of the server
unconditionally.
Samba behavior is actually following 6.3.5 "Mailslot ping" and expects
LDAP ping to behave the same way as a mailslot ping, where socket
address of the server is included only if _WITH_IP variant was
requested in NtVer. If NtVer only contains NETLOGON_NT_VERSION_5EX
(without _WITH_IP bit), socket address should not be filled in.
This seems to be a deviation from MS-ADTS. Samba AD DC code in
source4/dsdb/samdb/ldb_modules/netlogon.c:fill_netlogon_samlogon_response()
is also incorrectly assumes mailslot ping behavior to happen on LDAP
ping request.
So either MS-ADTS is incorrect here or Samba implementation does not
differentiate LDAP ping and Mailslot ping.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list