Has anyone seen a Windows Server return zero results to a CLDAP query for NetLogon servers?

Fri Oct 4 13:40:22 UTC 2019

On Thu, Oct 3, 2019 at 4:43 PM Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
>
> Hi folks,
>
> I have run into a situation where it seems the Windows DC is
> responding to CLDAP request, but returning zero responses.
>
> Samba send:
>
> searchRequest
>     baseObject:
>     scope: baseObject (0)
>     derefAliases: neverDerefAliases (0)
>     sizeLimit: 0
>     timeLimit: 0
>     typesOnly: False
>     Filter: (&(&(NtVer=0x00000006)(DnsDomain=SOME.DOM))(AAC=00:00:00:00))
>         filter: and (0)
>             and: (&(&(NtVer=0x00000006)(DnsDomain=SOME.DOM))(AAC=00:00:00:00))
>                 and: 3 items
>                     Filter: (NtVer=0x00000006)
>                         and item: equalityMatch (3)
>                             equalityMatch
>                     Filter: (DnsDomain=GPJ.LOC)
>                         and item: equalityMatch (3)
>                             equalityMatch
>                     Filter: (AAC=00:00:00:00)
>                         and item: equalityMatch (3)
>                             equalityMatch
>     attributes: 1 item
>         AttributeDescription: NetLogon
>
> and the server responds:
>
> LDAPMessage searchResDone(3822) success [0 results]
>     messageID: 3822
>     protocolOp: searchResDone (5)
>         searchResDone
>             resultCode: success (0)
>             matchedDN:
>             errorMessage:
>     [Response To: 5897]
>     [Time: 0.001296000 seconds]
>
> After that Samba seems to declare that DC as a negative connection
> entry and cannot find any DCs.
>
> Has anyone seen this? Does anyone know how to configure Windows to do that?

Hmmm, according to the following a DC returns such a result if the
filter is invalid:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/249949c1-484c-48ad-b548-a31dd0ab2c93

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)(传说杜康是酒的发明者)