Has anyone seen a Windows Server return zero results to a CLDAP query for NetLogon servers?

Richard Sharpe realrichardsharpe at gmail.com
Fri Oct 4 15:05:37 UTC 2019 

On Fri, Oct 4, 2019 at 7:24 AM Stefan Metzmacher <metze at samba.org> wrote:
>
> Am 04.10.19 um 15:40 schrieb Richard Sharpe via samba-technical:
> > On Thu, Oct 3, 2019 at 4:43 PM Richard Sharpe
> > <realrichardsharpe at gmail.com> wrote:
> >>
> >> Hi folks,
> >>
> >> I have run into a situation where it seems the Windows DC is
> >> responding to CLDAP request, but returning zero responses.
> >>
> >> Samba send:
> >>
> >> searchRequest
> >>     baseObject:
> >>     scope: baseObject (0)
> >>     derefAliases: neverDerefAliases (0)
> >>     sizeLimit: 0
> >>     timeLimit: 0
> >>     typesOnly: False
> >>     Filter: (&(&(NtVer=0x00000006)(DnsDomain=SOME.DOM))(AAC=00:00:00:00))
> >>         filter: and (0)
> >>             and: (&(&(NtVer=0x00000006)(DnsDomain=SOME.DOM))(AAC=00:00:00:00))
> >>                 and: 3 items
> >>                     Filter: (NtVer=0x00000006)
> >>                         and item: equalityMatch (3)
> >>                             equalityMatch
> >>                     Filter: (DnsDomain=GPJ.LOC)
> >>                         and item: equalityMatch (3)
> >>                             equalityMatch
> >>                     Filter: (AAC=00:00:00:00)
> >>                         and item: equalityMatch (3)
> >>                             equalityMatch
> >>     attributes: 1 item
> >>         AttributeDescription: NetLogon
> >>
> >> and the server responds:
> >>
> >> LDAPMessage searchResDone(3822) success [0 results]
> >>     messageID: 3822
> >>     protocolOp: searchResDone (5)
> >>         searchResDone
> >>             resultCode: success (0)
> >>             matchedDN:
> >>             errorMessage:
> >>     [Response To: 5897]
> >>     [Time: 0.001296000 seconds]
> >>
> >> After that Samba seems to declare that DC as a negative connection
> >> entry and cannot find any DCs.
> >>
> >> Has anyone seen this? Does anyone know how to configure Windows to do that?
> >
> > Hmmm, according to the following a DC returns such a result if the
> > filter is invalid:
> >
> > https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/249949c1-484c-48ad-b548-a31dd0ab2c93
>
> I've seen strange things when sysvolReady was 0.

OK. I suspect that if I shut down the NetLogon server as well we may
see the same behavior.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者)

More information about the samba-technical mailing list