Issue if SearchResEntry and SearchResDone CLDAP responses are in 2 packets
Shilpa K
shilpa.krishnareddy at gmail.com
Wed Jul 20 17:52:23 UTC 2022
HI Jeremy/Ralph,
I have attached the screenshot of the trace as I cannot share the pcaps as
of now.
Thanks,
Shilpa
On Tue, Jul 19, 2022 at 11:26 PM Jeremy Allison <jra at samba.org> wrote:
> On Tue, Jul 19, 2022 at 09:20:09PM +0530, Shilpa K via samba-technical
> wrote:
> >Hello,
> >
> >We have a setup where there are 3 DCs in a domain and Samba is joined as
> >Member Server. 2 of the DCs run Windows 2019 and one of them was Windows
> >2008. Windows 2008 DC was decommissioned. Samba was joined to the domain
> >when Windows 2008 was available. After Windows 2008 was decommissioned,
> net
> >ads commands started failing as below:
> >
> >ads_try_connect: sending CLDAP request to <IP>...
> >....
> >cldap_netlogon_recv for domain <DOMAIN> failed with status
> >LDAP_PROTOCOL_ERROR
> >
> >Upon checking the network trace, we noticed that in response to the CLDAP
> >request SearchRequest, Windows 2019 DCs responded with SearchResEntry and
> >SearchResDone in 2 separate packets. Checking the code, it failed below:
> >
> >NTSTATUS cldap_search_recv(struct tevent_req *req,
> > TALLOC_CTX *mem_ctx,
> > struct cldap_search *io)
> >{
> >...
> >...
> >status = ldap_decode(state->response.asn1, NULL, ldap_msg);
> > if (!NT_STATUS_IS_OK(status)) {
> > goto failed;
> > }
> > ZERO_STRUCT(io->out);
> > /* the first possible form has a search result in first place */
> > if (ldap_msg->type == LDAP_TAG_SearchResultEntry) {
> >....
> > *io->out.response = ldap_msg->r.SearchResultEntry;
> > /* decode the 2nd part */
> > status = ldap_decode(state->response.asn1, NULL,
> ldap_msg);
> >--->failed call
> > if (!NT_STATUS_IS_OK(status)) {
> > goto failed;
> > }
> > }
> >
> >...
> >}
> >
> >The 2nd ldap_decode(..) fails because:
> >
> >
> >/* Peek into an ASN1 buffer, not advancing the pointer */
> >bool asn1_peek(struct asn1_data *data, void *p, int len)
> >{
> >...
> > if (data->ofs + len > data->length) {
> > /* we need to mark the buffer as consumed, so the caller
> >knows
> > this was an out of data error, and not a decode error
> */
> > data->ofs = data->length;
> > return false;
> > }
> >..
> >}
> >
> >Here, after the first call to ldap_decode(...) in cldap_search_recv(), the
> >value of data->ofs and data->length was 163 and len was 1. len was 1
> >because of below code:
> >
> >_PUBLIC_ NTSTATUS ldap_decode(..)
> >{
> > ...
> > if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto prot_err;
> >...
> >}
> >
> >We think the issue is because SearchResEntry and SearchResDone responses
> >are in 2 different packets. Could you please confirm if this is so?
>
> Yes, the cldap_search_recv() code expects the replies to be
> in one packet. As Ralph says, if you can share packet traces
> we can possibly add code to do a second packet read if the SearchResDone
> response isn't found in the first reply.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cldap_calls.png
Type: image/png
Size: 85412 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20220720/da77d6c0/cldap_calls.png>
More information about the samba-technical
mailing list