Let winbindd work against a FreeIPA server

Stefan (metze) Metzmacher metze at samba.org
Mon Jan 5 08:49:52 MST 2015 

Hi,

here're patches to improve the behavior of winbindd when contacting
domain controllers of trusted ad domains.

We should use the same code path as we use with "security = ads"
for our primary domain, which means using DNS=>CLDAP with a fallback
to netbios name and dc lookup.

This is important when talking to FreeIPA DCs, they only provide
DNS and CLDAP.

The first patch makes sure we can parse the broken netlogon attribute
generated by FreeIPA. Someone should try to fix the FreeIPA server
server to use ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags()
instead of ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX().

Please review and push...

Thanks!
metze
-------------- next part --------------
From 67d2a6ae48f9939dc58fd61c20ad0995e574bde5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 23 Dec 2014 11:09:04 +0000
Subject: [PATCH 1/3] libcli/netlogon: We need to handle a bug in FreeIPA (at
 least <= 4.1.2).

They include the ip address information without setting
NETLOGON_NT_VERSION_5EX_WITH_IP, while using
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX instead of
ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 libcli/netlogon/netlogon.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/libcli/netlogon/netlogon.c b/libcli/netlogon/netlogon.c
index d82a201..58a331d 100644
--- a/libcli/netlogon/netlogon.c
+++ b/libcli/netlogon/netlogon.c
@@ -91,9 +91,18 @@ NTSTATUS pull_netlogon_samlogon_response(DATA_BLOB *data, TALLOC_CTX *mem_ctx,
 			ndr, NDR_SCALARS|NDR_BUFFERS, &response->data.nt5_ex,
 			ntver);
 		if (ndr->offset < ndr->data_size) {
-			ndr_err = ndr_pull_error(ndr, NDR_ERR_UNREAD_BYTES,
-						 "not all bytes consumed ofs[%u] size[%u]",
-						 ndr->offset, ndr->data_size);
+			TALLOC_FREE(ndr);
+			/*
+			 * We need to handle a bug in FreeIPA (at least <= 4.1.2).
+			 *
+			 * They include the ip address information without setting
+			 * NETLOGON_NT_VERSION_5EX_WITH_IP, while using
+			 * ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX instead of
+			 * ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags.
+			 */
+			ndr_err = ndr_pull_struct_blob_all(data, mem_ctx,
+						   &response->data.nt5,
+						   (ndr_pull_flags_fn_t)ndr_pull_NETLOGON_SAM_LOGON_RESPONSE_EX);
 		}
 		response->ntver = NETLOGON_NT_VERSION_5EX;
 		if (NDR_ERR_CODE_IS_SUCCESS(ndr_err) && DEBUGLEVEL >= 10) {
-- 
1.9.1


From c07adb5da20c20549a91fbae84af48e2e990f56f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 23 Dec 2014 09:43:03 +0000
Subject: [PATCH 2/3] s3:winbindd: mark our primary as active_directory if
 possible

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_util.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 0b7e234..8dab36e 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -213,6 +213,15 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
 		domain->primary = true;
 	}
 
+	if (domain->primary) {
+		if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+			domain->active_directory = true;
+		}
+		if (lp_security() == SEC_ADS) {
+			domain->active_directory = true;
+		}
+	}
+
 	/* Link to domain list */
 	DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
 
-- 
1.9.1


From 8472cf73da131640962266bb0ecc27f97d02e99f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 23 Dec 2014 09:43:19 +0000
Subject: [PATCH 3/3] s3:winbindd: improve logic to use CLDAP for a given
 domain.

As an AC Domain Controller we should try CLDAP for active directory domains.
E.g. FreeIPA domains doesn't provide NBT at all...

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/winbindd/winbindd_cm.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 0a63369..59c0b86 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1381,7 +1381,9 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
 	NTSTATUS status;
 	const char *dc_name;
 	fstring nbtname;
-
+#ifdef HAVE_ADS
+	bool is_ad_domain = false;
+#endif
 	ip_list.ss = *pss;
 	ip_list.port = 0;
 
@@ -1390,6 +1392,12 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
 	   None of these failures should be considered critical for now */
 
 	if ((lp_security() == SEC_ADS) && (domain->alt_name != NULL)) {
+		is_ad_domain = true;
+	} else if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
+		is_ad_domain = domain->active_directory;
+	}
+
+	if (is_ad_domain) {
 		ADS_STRUCT *ads;
 		ADS_STATUS ads_status;
 		char addr[INET6_ADDRSTRLEN];
-- 
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150105/d92c701c/attachment.pgp>

More information about the samba-technical mailing list