Let winbindd work against a FreeIPA server
Guenther Deschner
gd at samba.org
Thu Jan 15 04:58:44 MST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Alexander,
have you also checked the differences on the wire against windows dcs?
Could you please provide some traces from both mailslot and cldap
netlogon queries against windows ? Once we have "binary proof" we
should ask for clarification of what is wrong, docs or windows and
then afterwards fix Samba.
Thanks,
Guenther
On 15/01/15 12:33, Alexander Bokovoy wrote:
> On Mon, Jan 5, 2015 at 5:49 PM, Stefan (metze) Metzmacher
> <metze at samba.org> wrote:
>> Hi,
>>
>> here're patches to improve the behavior of winbindd when
>> contacting domain controllers of trusted ad domains.
>>
>> We should use the same code path as we use with "security = ads"
>> for our primary domain, which means using DNS=>CLDAP with a
>> fallback to netbios name and dc lookup.
>>
>> This is important when talking to FreeIPA DCs, they only provide
>> DNS and CLDAP.
>>
>> The first patch makes sure we can parse the broken netlogon
>> attribute generated by FreeIPA. Someone should try to fix the
>> FreeIPA server server to use
>> ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags() instead of
>> ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX().
>>
>> Please review and push...
> I've started looking into FreeIPA part of it and I think Samba is
> actually wrong here on CLDAP level.
>
> According to MS-ADTS 6.3.3.2, "Domain Controller Response to an
> LDAP Ping", we should fill the socket address of the server
> unconditionally.
>
> Samba behavior is actually following 6.3.5 "Mailslot ping" and
> expects LDAP ping to behave the same way as a mailslot ping, where
> socket address of the server is included only if _WITH_IP variant
> was requested in NtVer. If NtVer only contains
> NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket address
> should not be filled in.
>
> This seems to be a deviation from MS-ADTS. Samba AD DC code in
> source4/dsdb/samdb/ldb_modules/netlogon.c:fill_netlogon_samlogon_response()
>
>
is also incorrectly assumes mailslot ping behavior to happen on LDAP
> ping request.
>
> So either MS-ADTS is incorrect here or Samba implementation does
> not differentiate LDAP ping and Mailslot ping.
>
- --
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner at redhat.com
Samba Team gd at samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlS3q20ACgkQSOk3aI7hFoi1mQCeKIJn/GS5wJfZnIWYOYId7DcO
iHgAnRqELE23SC3zqu6dOhvDVQi0XwR3
=sRuu
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list