Issue if SearchResEntry and SearchResDone CLDAP responses are in 2 packets

Tue Jul 19 15:50:09 UTC 2022

Hello,

We have a setup where there are 3 DCs in a domain and Samba is joined as
Member Server. 2 of the DCs run Windows 2019 and one of them was Windows
2008. Windows 2008 DC was decommissioned. Samba was joined to the domain
when Windows 2008 was available. After Windows 2008 was decommissioned, net
ads commands started failing as below:

ads_try_connect: sending CLDAP request to <IP>...
....
cldap_netlogon_recv for domain <DOMAIN> failed with status
LDAP_PROTOCOL_ERROR

Upon checking the network trace, we noticed that in response to the CLDAP
request SearchRequest, Windows 2019 DCs responded with SearchResEntry and
SearchResDone in 2 separate packets. Checking the code, it failed below:

NTSTATUS cldap_search_recv(struct tevent_req *req,
                           TALLOC_CTX *mem_ctx,
                           struct cldap_search *io)
{
...
...
status = ldap_decode(state->response.asn1, NULL, ldap_msg);
        if (!NT_STATUS_IS_OK(status)) {
                goto failed;
        }
        ZERO_STRUCT(io->out);
        /* the first possible form has a search result in first place */
        if (ldap_msg->type == LDAP_TAG_SearchResultEntry) {
....
                *io->out.response = ldap_msg->r.SearchResultEntry;
                /* decode the 2nd part */
                status = ldap_decode(state->response.asn1, NULL, ldap_msg);
--->failed call
                if (!NT_STATUS_IS_OK(status)) {
                        goto failed;
                }
        }

...
}

The 2nd ldap_decode(..) fails because:

/* Peek into an ASN1 buffer, not advancing the pointer */
bool asn1_peek(struct asn1_data *data, void *p, int len)
{
...
        if (data->ofs + len > data->length) {
                /* we need to mark the buffer as consumed, so the caller
knows
                   this was an out of data error, and not a decode error */
                data->ofs = data->length;
                return false;
        }
..
}

Here, after the first call to ldap_decode(...) in cldap_search_recv(), the
value of data->ofs and data->length was 163 and len was 1. len was 1
because of below code:

_PUBLIC_ NTSTATUS ldap_decode(..)
{
 ...
        if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto prot_err;
...
}

We think the issue is because SearchResEntry and SearchResDone responses
are in 2 different packets. Could you please confirm if this is so?

Thanks,
Shilpa