Issue if SearchResEntry and SearchResDone CLDAP responses are in 2 packets

Tue Jul 19 17:56:29 UTC 2022

On Tue, Jul 19, 2022 at 09:20:09PM +0530, Shilpa K via samba-technical wrote:
>Hello,
>
>We have a setup where there are 3 DCs in a domain and Samba is joined as
>Member Server. 2 of the DCs run Windows 2019 and one of them was Windows
>2008. Windows 2008 DC was decommissioned. Samba was joined to the domain
>when Windows 2008 was available. After Windows 2008 was decommissioned, net
>ads commands started failing as below:
>
>ads_try_connect: sending CLDAP request to <IP>...
>....
>cldap_netlogon_recv for domain <DOMAIN> failed with status
>LDAP_PROTOCOL_ERROR
>
>Upon checking the network trace, we noticed that in response to the CLDAP
>request SearchRequest, Windows 2019 DCs responded with SearchResEntry and
>SearchResDone in 2 separate packets. Checking the code, it failed below:
>
>NTSTATUS cldap_search_recv(struct tevent_req *req,
>                           TALLOC_CTX *mem_ctx,
>                           struct cldap_search *io)
>{
>...
>...
>status = ldap_decode(state->response.asn1, NULL, ldap_msg);
>        if (!NT_STATUS_IS_OK(status)) {
>                goto failed;
>        }
>        ZERO_STRUCT(io->out);
>        /* the first possible form has a search result in first place */
>        if (ldap_msg->type == LDAP_TAG_SearchResultEntry) {
>....
>                *io->out.response = ldap_msg->r.SearchResultEntry;
>                /* decode the 2nd part */
>                status = ldap_decode(state->response.asn1, NULL, ldap_msg);
>--->failed call
>                if (!NT_STATUS_IS_OK(status)) {
>                        goto failed;
>                }
>        }
>
>...
>}
>
>The 2nd ldap_decode(..) fails because:
>
>
>/* Peek into an ASN1 buffer, not advancing the pointer */
>bool asn1_peek(struct asn1_data *data, void *p, int len)
>{
>...
>        if (data->ofs + len > data->length) {
>                /* we need to mark the buffer as consumed, so the caller
>knows
>                   this was an out of data error, and not a decode error */
>                data->ofs = data->length;
>                return false;
>        }
>..
>}
>
>Here, after the first call to ldap_decode(...) in cldap_search_recv(), the
>value of data->ofs and data->length was 163 and len was 1. len was 1
>because of below code:
>
>_PUBLIC_ NTSTATUS ldap_decode(..)
>{
> ...
>        if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto prot_err;
>...
>}
>
>We think the issue is because SearchResEntry and SearchResDone responses
>are in 2 different packets. Could you please confirm if this is so?

Yes, the cldap_search_recv() code expects the replies to be
in one packet. As Ralph says, if you can share packet traces
we can possibly add code to do a second packet read if the SearchResDone
response isn't found in the first reply.