Let winbindd work against a FreeIPA server

Alexander Bokovoy ab at samba.org
Thu Jan 15 07:03:43 MST 2015 

On Thu, Jan 15, 2015 at 1:58 PM, Guenther Deschner <gd at samba.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Alexander,
>
> have you also checked the differences on the wire against windows dcs?
> Could you please provide some traces from both mailslot and cldap
> netlogon queries against windows ? Once we have "binary proof" we
> should ask for clarification of what is wrong, docs or windows and
> then afterwards fix Samba.
At least, asking Windows Server 2012 with LDAP Ping with _5EX (without
_WITH_IP), returns LDAP entry which doesn't have socket address at
all.
This means MS-ADTS is wrong. I'll ask Microsoft team to clarify it.

I have a fix for FreeIPA which will follow the same.

>
> Thanks,
> Guenther
>
> On 15/01/15 12:33, Alexander Bokovoy wrote:
>> On Mon, Jan 5, 2015 at 5:49 PM, Stefan (metze) Metzmacher
>> <metze at samba.org> wrote:
>>> Hi,
>>>
>>> here're patches to improve the behavior of winbindd when
>>> contacting domain controllers of trusted ad domains.
>>>
>>> We should use the same code path as we use with "security = ads"
>>> for our primary domain, which means using DNS=>CLDAP with a
>>> fallback to netbios name and dc lookup.
>>>
>>> This is important when talking to FreeIPA DCs, they only provide
>>> DNS and CLDAP.
>>>
>>> The first patch makes sure we can parse the broken netlogon
>>> attribute generated by FreeIPA. Someone should try to fix the
>>> FreeIPA server server to use
>>> ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags() instead of
>>> ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX().
>>>
>>> Please review and push...
>> I've started looking into FreeIPA part of it and I think Samba is
>> actually wrong here on CLDAP level.
>>
>> According to MS-ADTS 6.3.3.2, "Domain Controller Response to an
>> LDAP Ping", we should fill the socket address of the server
>> unconditionally.
>>
>> Samba behavior is actually following 6.3.5 "Mailslot ping" and
>> expects LDAP ping to behave the same way as a mailslot ping, where
>> socket address of the server is included only if _WITH_IP variant
>> was requested in NtVer.  If NtVer only contains
>> NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket  address
>> should not be filled in.
>>
>> This seems to be a deviation from MS-ADTS. Samba AD DC code in
>> source4/dsdb/samdb/ldb_modules/netlogon.c:fill_netlogon_samlogon_response()
>>
>>
> is also incorrectly assumes mailslot ping behavior to happen on LDAP
>> ping request.
>>
>> So either MS-ADTS is incorrect here or Samba implementation does
>> not differentiate LDAP ping and Mailslot ping.
>>
>
>
> - --
> Günther Deschner                    GPG-ID: 8EE11688
> Red Hat                         gdeschner at redhat.com
> Samba Team                              gd at samba.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iEYEARECAAYFAlS3q20ACgkQSOk3aI7hFoi1mQCeKIJn/GS5wJfZnIWYOYId7DcO
> iHgAnRqELE23SC3zqu6dOhvDVQi0XwR3
> =sRuu
> -----END PGP SIGNATURE-----



-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list