The Samba-Bugzilla – Bug 11392
Joining a Huawai storage fails: empty CLDAP ping answer
Last modified: 2017-06-27 17:48:52 UTC
Created attachment 11241 [details]
Seen in the wild: A Huawai storage array performs the initial CLDAP ping without NtVer in the filter. Samba doesn't send a searchResEntry in this case, only the searchResResult (success).
[MS-ADTS] sect. 188.8.131.52 "Domain Controller Response to an LDAP Ping" specifies that in this case the DC should answer normally with a NETLOGON_SAM_LOGON_RESPONSE_NT40 structure.
The attached patch fixes the problem, verified with examples/misc/cldap.pl as well as with that Huawai device.
In addition to this patch, the testsuite needs to be modified to cover the same case, so we don't regress here.
Once that is done, I'll be very glad to ask for a second review and get this into master.
Is anyone working on the test?
It's a pitty that the patch doesn't get upstream...
> Is anyone working on the test?
What is expected here, create a torture test for each misbehaving corner case?
(In reply to Arvid Requate from comment #3)
(In reply to Andrew Bartlett from comment #4)
To be clear, I will happily accept tests that operate on the netlogon RootDSE attribute over LDAP, not CLDAP, as the handlers are combined.
This should make it much, much easier to write tests in (say) python using our ldb bindings.
Created attachment 13300 [details]
The patch adds test to ldap.netlogon-udp.
Created attachment 13302 [details]
patches with knownfail entries
Here are the two patches but with a knownfail and the test before the patch (that way we know that the patch fixes things).
However, you assert that the response in an NETLOGON_SAM_LOGON_RESPONSE_NT40 but you don't prove that, and the code looks like it would set version = 0xffffffff and so match all the bits.
Can you extend the test to show the response structure, and set the default of *version to NETLOGON_NT_VERSION_1?
I suggest parsing the "netlogon" attribute with ndr_pull_struct_blob with
ndr_pull_NETLOGON_SAM_LOGON_RESPONSE_NT40. The run it against windows to be sure.
Sorry for not giving you this feedback earlier.
Created attachment 13303 [details]
> However, you assert that the response in an NETLOGON_SAM_LOGON_RESPONSE_NT40
> but you don't prove that, and the code looks like it would set version =
> 0xffffffff and so match all the bits.
> Can you extend the test to show the response structure, and set the default of
> *version to NETLOGON_NT_VERSION_1?
> I suggest parsing the "netlogon" attribute with ndr_pull_struct_blob with
> ndr_pull_NETLOGON_SAM_LOGON_RESPONSE_NT40. The run it against windows to
> be sure.
Yes, I had already implement that and you are right, I saw that it returned NETLOGON_NT_VERSION_5EX, not NETLOGON_NT_VERSION_1. Since my original patch was enough to satisfy that particular NAS device I preferred to be careful and not change anything more than that.
Anyway, the attached patch adjusts the behaviour to return NETLOGON_NT_VERSION_1 by default, if the CLDAP filter didn't ask for any specific NtVer. The torture test has been adjusted accordingly. I also included the selftest/knownfail.d/huawei changes recommended by you for autobuild.