The Samba-Bugzilla – Attachment 11090 Details for
Bug 11292
Windows Server 2008 R2 Foundation memberserver reboot / SERVER_SEARCH_FLAG_PHANTOM_ROOT no application NCs
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0001-S4-dsdb-GC-LDAP-should-not-return-objects-from-Domai.patch
0001-S4-dsdb-GC-LDAP-should-not-return-objects-from-Domai.patch (text/plain), 4.49 KB, created by
Arvid Requate
on 2015-05-27 10:28:27 UTC
(
hide
)
Description:
0001-S4-dsdb-GC-LDAP-should-not-return-objects-from-Domai.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2015-05-27 10:28:27 UTC
Size:
4.49 KB
patch
obsolete
>From 6ce3e107ff0342c17bb4ca07befa1d2073f7a3eb Mon Sep 17 00:00:00 2001 >From: Arvid Requate <requate@univention.de> >Date: Mon, 16 Feb 2015 13:33:35 +0100 >Subject: [PATCH] S4:dsdb GC LDAP should not return objects from DomainDnsZones > >Setting: "Windows Server 2008 R2 Foundation" joined as Memberserver > to a Samba 4.2 ADDS DC. > >Issue: After Logon an error popup is shown with the following text: > > The server did not finish checking the license compliance. > If the server is joined to a domain, make sure that the server > can connect to a domain controller. If the license compliant > check cannot be completed, the server will automatically > shut down in 9 day(s), 7 hour(s) 30 minute(s). > >http://technet.microsoft.com/de-de/library/ee526849%28en-us,WS.10%29.aspx > >Analysis: The MS Event Viewer shows that the message originates from the > Forest Trust Check performed by the Server Infrastructure Licensing > service. Network traces show that shortly before the log entries > the client performs an LDAP search equivalent to > > ldbsearch -H http://<sambadcip>:3268 -b '' \ > --controls:domainscope:0 \ > '(objectCategory=Domain)' canonicalName > > A search like this against the GC port of a native AD 2008 R2 DC > does not return any objects from ForestDNSZones or DomainDNSZones > partitions. > In contrast the Samba LDAP server returns objects from those > partitions. > This causes the client to perform DNS lookups for > _ldap._tcp.pdc._msdcs.DomainDnsZones.<domainname> > This request for a non-standard DNS record causes the Forest > Trust Check to fail. Creating the record(s) causes the client to > perform CLDAP Netlogon requests against the IP with > DomainDnsZones.<domainname> as target domain and continue. > >This patch modifies the "partition" dsdb module response to this specific >request (GC port, domainscope, empty search base) to not return objects >from the ForestDNSZones and DomainDNSZones application partitions. > >Signed-off-by: Arvid Requate <requate@univention.de> >--- > source4/dsdb/samdb/ldb_modules/partition.c | 40 ++++++++++++++++++++++++++++++ > 1 file changed, 40 insertions(+) > >diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c >index b501ff1..230aa0c 100644 >--- a/source4/dsdb/samdb/ldb_modules/partition.c >+++ b/source4/dsdb/samdb/ldb_modules/partition.c >@@ -605,6 +605,35 @@ static int partition_search(struct ldb_module *module, struct ldb_request *req) > lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"), > struct loadparm_context); > >+ // Determine forestdnszones_dn for comparison below >+ struct ldb_dn *forestdnszones_dn = ldb_dn_copy(ac, ldb_get_default_basedn(ldb)); >+ if (!forestdnszones_dn) { >+ return ldb_oom(ldb_module_get_ctx(module)); >+ } >+ if (!ldb_dn_add_child_fmt(forestdnszones_dn, "DC=ForestDnsZones")) { >+ return ldb_oom(ldb_module_get_ctx(module)); >+ } >+ >+ // Determine domaindnszones_dn for comparison below >+ struct ldb_dn *domaindnszones_dn = ldb_dn_copy(ac, ldb_get_default_basedn(ldb)); >+ if (!domaindnszones_dn) { >+ return ldb_oom(ldb_module_get_ctx(module)); >+ } >+ if (!ldb_dn_add_child_fmt(domaindnszones_dn, "DC=DomainDnsZones")) { >+ return ldb_oom(ldb_module_get_ctx(module)); >+ } >+ >+ /* Don't return application partitions on GC search */ >+ if (!no_gc_control ) { // not set by ldap_backend.c:ldapsrv_SearchRequest for GC port searches >+ // This behaviour was found on a Windows Server 2008R2 Foundation >+ // Looks like it's generally true that AD GC search doesn't return Forest+DomainDNSZones >+ // let's only treat the Windows Server 2008R2 Foundation case for now: >+ if (ldb_dn_is_null(req->op.search.base) && domain_scope_control) { >+ // workaround: set base to avoid partition_send_all below, skip Forest and DomainDNSZones >+ req->op.search.base = ldb_dn_copy(ac, ldb_get_default_basedn(ldb)); >+ } >+ } >+ > /* Search from the base DN */ > if (ldb_dn_is_null(req->op.search.base)) { > if (!phantom_root) { >@@ -628,6 +657,17 @@ static int partition_search(struct ldb_module *module, struct ldb_request *req) > } > > if (phantom_root) { >+ >+ /* Don't return application partitions on GC search */ >+ if (!no_gc_control && domain_scope_control) { >+ if (ldb_dn_compare(data->partitions[i]->ctrl->dn, forestdnszones_dn) == 0) { >+ continue; >+ } >+ if (ldb_dn_compare(data->partitions[i]->ctrl->dn, domaindnszones_dn) == 0) { >+ continue; >+ } >+ } >+ > /* Phantom root: Find all partitions under the > * search base. We match if: > * >-- >2.1.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11090">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 11292
: 11090