From 267fd0e2898d4aea673e65973672dc6075a27721 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Mon, 23 May 2022 14:11:24 +0200 Subject: [PATCH] s3:libads: Clear previous CLDAP ping flags when reusing the ADS_STRUCT Before commit 1d066f37b9217a475b6b84a935ad51fbec88fe04, when the LDAP connection wasn't established yet (ads->ldap.ld == NULL), the ads_current_time() function always allocated and initialized a new ADS_STRUCT even when ads->ldap.ss had a good address after having called ads_find_dc(). After that commit, when the ADS_STRUCT is reused and passed to the ads_connect() call, ads_try_connect() may fail depending on the contacted DC because ads->config.flags field can contain the flags returned by the previous CLDAP call. For example, when having 5 DCs: * 192.168.101.31 has PDC FSMO role * 192.168.101.32 * 192.168.101.33 * 192.168.101.34 * 192.168.101.35 $> net ads info -S 192.168.101.35 net_ads_info() ads_startup_nobind() ads_startup_int() ads_init() ads_connect() ads_try_connect(192.168.101.35) check_cldap_reply_required_flags(returned=0xF1FC, required=0x0) ads_current_time() ads_connect() ads_try_connect(192.168.101.35) check_cldap_reply_required_flags(returned=0xF1FC, required=0xF1FC) The check_cldap_reply_required_flags() call fails because ads->config.flags contain the flags returned by the previous CLDAP call, even when the returned and required values match because they have different semantics: if (req_flags & DS_PDC_REQUIRED) RETURN_ON_FALSE(ret_flags & NBT_SERVER_PDC); translates to: if (0xF1FC & 0x80) RETURN_ON_FALSE(0xF1FC & 0x01); which returns false because 192.168.101.35 has no PDC FSMO role. The easiest fix for now is to reset ads->config.flags in ads_current_time() when reusing an ADS_STRUCT before calling ads_connect(), but we should consider storing the required and returned flags in different fields or at least use the same bitmap for them because check_cldap_reply_required_flags() is checking a netr_DsRGetDCName_flags value using the nbt_server_type bitmap. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14674 Signed-off-by: Samuel Cabrero Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Mon May 23 19:18:38 UTC 2022 on sn-devel-184 (cherry picked from commit a26f535dedc651afa2a25dd37113ac71787197ff) --- source3/libads/ldap.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index f83d3aee10a..71bad38c1b1 100755 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -3304,6 +3304,13 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads) goto done; } } + + /* + * Reset ads->config.flags as it can contain the flags + * returned by the previous CLDAP ping when reusing the struct. + */ + ads_s->config.flags = 0; + ads_s->auth.flags = ADS_AUTH_ANON_BIND; status = ads_connect( ads_s ); if ( !ADS_ERR_OK(status)) -- 2.36.1