Attachment 17301 Details for Bug 14674 – Patch for 4.14 next, 4.15 next and 4.16 rc

[patch] Patch for 4.14 next, 4.15 next and 4.16 rc

0001-s3-libads-Clear-previous-CLDAP-ping-flags-when-reusi.patch (text/plain), 2.97 KB, created by Samuel Cabrero on 2022-05-24 09:21:49 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Samuel Cabrero

Created: 2022-05-24 09:21:49 UTC

Size: 2.97 KB

patch

obsolete

>From 267fd0e2898d4aea673e65973672dc6075a27721 Mon Sep 17 00:00:00 2001
>From: Samuel Cabrero <scabrero@suse.de>
>Date: Mon, 23 May 2022 14:11:24 +0200
>Subject: [PATCH] s3:libads: Clear previous CLDAP ping flags when reusing the
> ADS_STRUCT
>
>Before commit 1d066f37b9217a475b6b84a935ad51fbec88fe04, when the LDAP
>connection wasn't established yet (ads->ldap.ld == NULL), the
>ads_current_time() function always allocated and initialized a new
>ADS_STRUCT even when ads->ldap.ss had a good address after having called
>ads_find_dc().
>
>After that commit, when the ADS_STRUCT is reused and passed to the
>ads_connect() call, ads_try_connect() may fail depending on the
>contacted DC because ads->config.flags field can contain the flags
>returned by the previous CLDAP call. For example, when having 5 DCs:
>
>* 192.168.101.31 has PDC FSMO role
>* 192.168.101.32
>* 192.168.101.33
>* 192.168.101.34
>* 192.168.101.35
>
>$> net ads info -S 192.168.101.35
>
>net_ads_info()
>  ads_startup_nobind()
>    ads_startup_int()
>      ads_init()
>      ads_connect()
>        ads_try_connect(192.168.101.35)
>          check_cldap_reply_required_flags(returned=0xF1FC, required=0x0)
>  ads_current_time()
>    ads_connect()
>      ads_try_connect(192.168.101.35)
>        check_cldap_reply_required_flags(returned=0xF1FC, required=0xF1FC)
>
>The check_cldap_reply_required_flags() call fails because
>ads->config.flags contain the flags returned by the previous CLDAP call,
>even when the returned and required values match because they have
>different semantics:
>
>  if (req_flags & DS_PDC_REQUIRED)
>        RETURN_ON_FALSE(ret_flags & NBT_SERVER_PDC);
>
>  translates to:
>
>  if (0xF1FC & 0x80)
>        RETURN_ON_FALSE(0xF1FC & 0x01);
>
>  which returns false because 192.168.101.35 has no PDC FSMO role.
>
>The easiest fix for now is to reset ads->config.flags in
>ads_current_time() when reusing an ADS_STRUCT before calling
>ads_connect(), but we should consider storing the required and returned
>flags in different fields or at least use the same bitmap for them
>because check_cldap_reply_required_flags() is checking a
>netr_DsRGetDCName_flags value using the nbt_server_type bitmap.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14674
>
>Signed-off-by: Samuel Cabrero <scabrero@samba.org>
>
>Autobuild-User(master): Jeremy Allison <jra@samba.org>
>Autobuild-Date(master): Mon May 23 19:18:38 UTC 2022 on sn-devel-184
>
>(cherry picked from commit a26f535dedc651afa2a25dd37113ac71787197ff)
>---
> source3/libads/ldap.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
>diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
>index f83d3aee10a..71bad38c1b1 100755
>--- a/source3/libads/ldap.c
>+++ b/source3/libads/ldap.c
>@@ -3304,6 +3304,13 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads)
> 				goto done;
> 			}
> 		}
>+
>+		/*
>+		 * Reset ads->config.flags as it can contain the flags
>+		 * returned by the previous CLDAP ping when reusing the struct.
>+		 */
>+		ads_s->config.flags = 0;
>+
> 		ads_s->auth.flags = ADS_AUTH_ANON_BIND;
> 		status = ads_connect( ads_s );
> 		if ( !ADS_ERR_OK(status))
>-- 
>2.36.1
>

Flags:

jra: review+
slow: review+

Actions: View

Attachments on bug 14674: 16558 | 16559 | 16560 | 16562 | 17137 | 17138 | 17155 | 17301