Created attachment 11241 [details] 0001-s4-dsdb-netlogon-allow-missing-ntver-in-cldap-ping.patch Seen in the wild: A Huawai storage array performs the initial CLDAP ping without NtVer in the filter. Samba doesn't send a searchResEntry in this case, only the searchResResult (success). [MS-ADTS] sect. 6.3.3.2 "Domain Controller Response to an LDAP Ping" specifies that in this case the DC should answer normally with a NETLOGON_SAM_LOGON_RESPONSE_NT40 structure. The attached patch fixes the problem, verified with examples/misc/cldap.pl as well as with that Huawai device.
In addition to this patch, the testsuite needs to be modified to cover the same case, so we don't regress here. Once that is done, I'll be very glad to ask for a second review and get this into master. Thanks!
ping Is anyone working on the test? It's a pitty that the patch doesn't get upstream...
> Is anyone working on the test? What is expected here, create a torture test for each misbehaving corner case?
(In reply to Arvid Requate from comment #3) Yes.
(In reply to Andrew Bartlett from comment #4) To be clear, I will happily accept tests that operate on the netlogon RootDSE attribute over LDAP, not CLDAP, as the handlers are combined. This should make it much, much easier to write tests in (say) python using our ldb bindings.
Created attachment 13300 [details] 0001-s4-torture-ldap-Test-netlogon-without-NtVer.patch The patch adds test to ldap.netlogon-udp.
Created attachment 13302 [details] patches with knownfail entries Here are the two patches but with a knownfail and the test before the patch (that way we know that the patch fixes things). However, you assert that the response in an NETLOGON_SAM_LOGON_RESPONSE_NT40 but you don't prove that, and the code looks like it would set version = 0xffffffff and so match all the bits. Can you extend the test to show the response structure, and set the default of *version to NETLOGON_NT_VERSION_1? I suggest parsing the "netlogon" attribute with ndr_pull_struct_blob with ndr_pull_NETLOGON_SAM_LOGON_RESPONSE_NT40. The run it against windows to be sure. Sorry for not giving you this feedback earlier.
Created attachment 13303 [details] s4-dsdb-netlogon-allow-missing-ntver-in-cldap-ping.patch > However, you assert that the response in an NETLOGON_SAM_LOGON_RESPONSE_NT40 > but you don't prove that, and the code looks like it would set version = > 0xffffffff and so match all the bits. > > Can you extend the test to show the response structure, and set the default of > *version to NETLOGON_NT_VERSION_1? > > I suggest parsing the "netlogon" attribute with ndr_pull_struct_blob with > ndr_pull_NETLOGON_SAM_LOGON_RESPONSE_NT40. The run it against windows to > be sure. Yes, I had already implement that and you are right, I saw that it returned NETLOGON_NT_VERSION_5EX, not NETLOGON_NT_VERSION_1. Since my original patch was enough to satisfy that particular NAS device I preferred to be careful and not change anything more than that. Anyway, the attached patch adjusts the behaviour to return NETLOGON_NT_VERSION_1 by default, if the CLDAP filter didn't ask for any specific NtVer. The torture test has been adjusted accordingly. I also included the selftest/knownfail.d/huawei changes recommended by you for autobuild.
(In reply to Arvid Requate from comment #8) Sorry for the slow reply. Have you run this against windows? I'll do that tomorrow, and if it passes then I'll push it to master. Thanks for your patience on this!
Created attachment 13427 [details] additional patch for master I tested against Windows 2012R2, as as you note, the response is a NETLOGON_NT_VERSION_5. We do need to match Windows here, even if the client is more relaxed about what it accepts. Can you confirm the client accepts the response with this additional patch? Then we can get this into 4.7. Thanks,
I don't have access to the customer device, sorry. I guess it would accept the answer, it was unhappy because it didn't receive any searchResEntry.
Created attachment 13438 [details] patch cherry-picked from master for 4.7
Created attachment 13439 [details] patch cherry-picked from master for 4.6 Patch is also good for 4.6
(In reply to Andrew Bartlett from comment #13) Pushed to autobuild-v4-{7,6}-test.
(In reply to Karolin Seeger from comment #14) Pushed to both branches. Closing out bug report. Thanks!