From b97419722c70db4ff75d27d73ac7a1f51cb9ea9e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 2 Mar 2017 17:19:21 +0100 Subject: [PATCH 1/2] ldb-samba: remember the error string of a failing bind in ildb_connect() BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 4738754e7d7216f6acf790827459bb5da6b0a110) --- lib/ldb-samba/ldb_ildap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/ldb-samba/ldb_ildap.c b/lib/ldb-samba/ldb_ildap.c index 65f11db..541971f 100644 --- a/lib/ldb-samba/ldb_ildap.c +++ b/lib/ldb-samba/ldb_ildap.c @@ -863,6 +863,7 @@ static int ildb_connect(struct ldb_context *ldb, const char *url, return LDB_SUCCESS; failed: + ldb_set_errstring(ldb, ldap_errstr(ildb->ldap, module, status)); talloc_free(module); if (NT_STATUS_IS_LDAP(status)) { return NT_STATUS_LDAP_CODE(status); -- 1.9.1 From 4b47e326345e31ecf8949ad050ddd5f3afa55cde Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 24 Feb 2017 18:30:56 +0100 Subject: [PATCH 2/2] s4:ldap_server: match windows in the error messages of failing LDAP Bind requests This is important for some applications to detect the NT_STATUS_PASSWORD_MUST_CHANGE condition correctly. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9048 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 81ccdad9d045a7a6d6a569d1685bb0bf4e64d12a) --- source4/ldap_server/ldap_bind.c | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 1264d11..aad8931 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -29,6 +29,37 @@ #include "param/param.h" #include "../lib/util/tevent_ntstatus.h" +static char *ldapsrv_bind_error_msg(TALLOC_CTX *mem_ctx, + HRESULT hresult, + uint32_t DSID, + NTSTATUS status) +{ + WERROR werr; + char *msg = NULL; + + status = nt_status_squash(status); + werr = ntstatus_to_werror(status); + + /* + * There are 4 lower case hex digits following 'v' at the end, + * but different Windows Versions return different values: + * + * Windows 2008R2 uses 'v1db1' + * Windows 2012R2 uses 'v2580' + * + * We just match Windows 2008R2 as that's what was referenced + * in https://bugzilla.samba.org/show_bug.cgi?id=9048 + */ + msg = talloc_asprintf(mem_ctx, "%08X: LdapErr: DSID-%08X, comment: " + "AcceptSecurityContext error, data %x, v1db1", + (unsigned)HRES_ERROR_V(hresult), + (unsigned)DSID, + (unsigned)W_ERROR_V(werr)); + + return msg; +} + + static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) { struct ldap_BindRequest *req = &call->request->r.BindRequest; @@ -95,7 +126,8 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) status = nt_status_squash(status); result = LDAP_INVALID_CREDENTIALS; - errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status)); + errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_INVALID_TOKEN, + 0x0C0903A9, status); } do_reply: @@ -344,7 +376,8 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) status = nt_status_squash(status); if (result == 0) { result = LDAP_INVALID_CREDENTIALS; - errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status)); + errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_LOGON_DENIED, + 0x0C0904DC, status); } talloc_unlink(conn, conn->gensec); conn->gensec = NULL; -- 1.9.1