Let winbindd work against a FreeIPA server

Guenther Deschner gd at samba.org
Thu Jan 15 04:58:44 MST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Alexander,

have you also checked the differences on the wire against windows dcs?
Could you please provide some traces from both mailslot and cldap
netlogon queries against windows ? Once we have "binary proof" we
should ask for clarification of what is wrong, docs or windows and
then afterwards fix Samba.

Thanks,
Guenther

On 15/01/15 12:33, Alexander Bokovoy wrote:
> On Mon, Jan 5, 2015 at 5:49 PM, Stefan (metze) Metzmacher 
> <metze at samba.org> wrote:
>> Hi,
>> 
>> here're patches to improve the behavior of winbindd when
>> contacting domain controllers of trusted ad domains.
>> 
>> We should use the same code path as we use with "security = ads" 
>> for our primary domain, which means using DNS=>CLDAP with a
>> fallback to netbios name and dc lookup.
>> 
>> This is important when talking to FreeIPA DCs, they only provide 
>> DNS and CLDAP.
>> 
>> The first patch makes sure we can parse the broken netlogon
>> attribute generated by FreeIPA. Someone should try to fix the
>> FreeIPA server server to use
>> ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags() instead of
>> ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX().
>> 
>> Please review and push...
> I've started looking into FreeIPA part of it and I think Samba is 
> actually wrong here on CLDAP level.
> 
> According to MS-ADTS 6.3.3.2, "Domain Controller Response to an
> LDAP Ping", we should fill the socket address of the server 
> unconditionally.
> 
> Samba behavior is actually following 6.3.5 "Mailslot ping" and
> expects LDAP ping to behave the same way as a mailslot ping, where
> socket address of the server is included only if _WITH_IP variant
> was requested in NtVer.  If NtVer only contains
> NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket  address
> should not be filled in.
> 
> This seems to be a deviation from MS-ADTS. Samba AD DC code in 
> source4/dsdb/samdb/ldb_modules/netlogon.c:fill_netlogon_samlogon_response()
>
> 
is also incorrectly assumes mailslot ping behavior to happen on LDAP
> ping request.
> 
> So either MS-ADTS is incorrect here or Samba implementation does
> not differentiate LDAP ping and Mailslot ping.
> 


- -- 
Günther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner at redhat.com
Samba Team                              gd at samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlS3q20ACgkQSOk3aI7hFoi1mQCeKIJn/GS5wJfZnIWYOYId7DcO
iHgAnRqELE23SC3zqu6dOhvDVQi0XwR3
=sRuu
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list