Let winbindd work against a FreeIPA server
gd at samba.org
Thu Jan 15 04:58:44 MST 2015
-----BEGIN PGP SIGNED MESSAGE-----
have you also checked the differences on the wire against windows dcs?
Could you please provide some traces from both mailslot and cldap
netlogon queries against windows ? Once we have "binary proof" we
should ask for clarification of what is wrong, docs or windows and
then afterwards fix Samba.
On 15/01/15 12:33, Alexander Bokovoy wrote:
> On Mon, Jan 5, 2015 at 5:49 PM, Stefan (metze) Metzmacher
> <metze at samba.org> wrote:
>> here're patches to improve the behavior of winbindd when
>> contacting domain controllers of trusted ad domains.
>> We should use the same code path as we use with "security = ads"
>> for our primary domain, which means using DNS=>CLDAP with a
>> fallback to netbios name and dc lookup.
>> This is important when talking to FreeIPA DCs, they only provide
>> DNS and CLDAP.
>> The first patch makes sure we can parse the broken netlogon
>> attribute generated by FreeIPA. Someone should try to fix the
>> FreeIPA server server to use
>> ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags() instead of
>> Please review and push...
> I've started looking into FreeIPA part of it and I think Samba is
> actually wrong here on CLDAP level.
> According to MS-ADTS 188.8.131.52, "Domain Controller Response to an
> LDAP Ping", we should fill the socket address of the server
> Samba behavior is actually following 6.3.5 "Mailslot ping" and
> expects LDAP ping to behave the same way as a mailslot ping, where
> socket address of the server is included only if _WITH_IP variant
> was requested in NtVer. If NtVer only contains
> NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket address
> should not be filled in.
> This seems to be a deviation from MS-ADTS. Samba AD DC code in
is also incorrectly assumes mailslot ping behavior to happen on LDAP
> ping request.
> So either MS-ADTS is incorrect here or Samba implementation does
> not differentiate LDAP ping and Mailslot ping.
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner at redhat.com
Samba Team gd at samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the samba-technical