Bug 12478 - Missing ldaps in referral response from DC
Summary: Missing ldaps in referral response from DC
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.4.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL: https://gitlab.com/samba-team/samba/m...
Depends on:
Reported: 2016-12-21 16:53 UTC by Davide Principi
Modified: 2019-07-03 11:59 UTC (History)
5 users (show)

See Also:

Proposed patch for V4.10 (11.00 KB, patch)
2019-05-27 01:33 UTC, Gary Lockyer
abartlet: review+
gary: ci-passed+
Proposed patch fo V4.9 (10.98 KB, patch)
2019-05-27 03:21 UTC, Gary Lockyer
abartlet: review+
gary: ci-passed+

Note You need to log in before you can comment on or make changes to this bug.
Description Davide Principi 2016-12-21 16:53:56 UTC
If the client connects to ldaps:// with simple bind, the Samba 4.4 DC response differs from Windows Server 2012: different URI scheme is present in LDAP referrals.

For instance, this is an ldapsearch command output against Samba DC:

   ldapsearch -D 'davidep@neth.eu' -w '*****' -H ldaps://neth.eu -b dc=neth,dc=eu '(objectClass=user)'
   # search reference
   ref: ldap://neth.eu/CN=Configuration,DC=neth,DC=eu

   # search reference
   ref: ldap://neth.eu/DC=DomainDnsZones,DC=neth,DC=eu

   # search reference
   ref: ldap://neth.eu/DC=ForestDnsZones,DC=neth,DC=eu

And this is against MS-2012 DC:

   ldapsearch -D 'davidep@adnethesis.it' -w '******' -H ldaps://192.168.*.* -b dc=adnethesis,dc=it '(objectClass=user)'
    # search reference
    ref: ldaps://ForestDnsZones.adnethesis.it/DC=ForestDnsZones,DC=adnethesis,DC=i

    # search reference
    ref: ldaps://DomainDnsZones.adnethesis.it/DC=DomainDnsZones,DC=adnethesis,DC=i

    # search reference
    ref: ldaps://adnethesis.it/CN=Configuration,DC=adnethesis,DC=it

Note the ldaps:// from MS, against ldap:// from Samba.

The Samba response may cause a client (roundcube-1.1.7/openldap-2.4.40-13.el7.x86_64) to fail silently because it cannot bind correctly to that URL if non-encrypted binds are disabled. Disabling referrals chasing in the client or connecting to ldap://+STARTTLS mitigates the problem.

More informations from samba ML:

Comment 1 Gary Lockyer 2019-05-27 01:31:20 UTC
Fixed in master for V4.11 commit 1958cd8a7fb81ec51b81944ecf4dd0fb5c4208fa
Comment 2 Gary Lockyer 2019-05-27 01:33:54 UTC
Created attachment 15191 [details]
Proposed patch for V4.10

CI: https://gitlab.com/samba-team/devel/samba/pipelines/63231529

Had conflicts on source4/selftest/tests.py when cheery picking, also had to change the testenv to ad_dc_ntcfs.
Comment 3 Gary Lockyer 2019-05-27 03:21:00 UTC
Created attachment 15192 [details]
Proposed patch fo V4.9

CI: https://gitlab.com/samba-team/devel/samba/pipelines/63232167

Had cherry pick conflicts on source4/selftest/tests.py and needed to change the test environment to "ad_dc_ntvfs"
Comment 4 Karolin Seeger 2019-06-20 09:54:16 UTC
Pushed to autobuild-v4-{9,10}-test.
Comment 5 Karolin Seeger 2019-06-26 07:00:33 UTC
(In reply to Karolin Seeger from comment #4)
Pushed to both branches.
Closing out bug report.

Comment 6 Andrew Bartlett 2019-07-02 21:19:22 UTC
Sadly the backports did not include a new ldb release number so this needs to be added.  No change is needed in master (we only make ldb releases in master at rc0 and for ABI changes), but without a new version the backports break the build if a system ldb is found.
Comment 7 Karolin Seeger 2019-07-03 06:43:40 UTC
(In reply to Andrew Bartlett from comment #6)
This blocks the 4.10 release today, right?
Comment 8 Louis 2019-07-03 07:19:53 UTC
If the same is going to happen with 4.10 what happend with 4.9 
then all packagers will have problems also with 4.10.. 

same happens ofcourse on my debian/ubuntu builds. 

../source4/dsdb/samdb/ldb_modules/partition.c: In function 'partition_search':
../source4/dsdb/samdb/ldb_modules/partition.c:906:14: error: 'LDAP_REFERRAL_SCHEME_OPAQUE' undeclared (first use in this function)
../source4/dsdb/samdb/ldb_modules/partition.c:906:14: note: each undeclared identifier is reported only once for each function it appears in
Waf: Leaving directory `/home/pbuilder/archive/build-samba/11-samba/stretch/samba-4.9.10+nmu/bin'
Build failed:  -> task failed (err #1):
        {task: cc partition.c -> partition_55.o}
debian/rules:96: recipe for target 'override_dh_auto_build' failed
make[1]: *** [override_dh_auto_build] Error 1
Comment 9 Karolin Seeger 2019-07-03 07:26:14 UTC
Re-assigning to Gary.
Comment 10 Stefan Metzmacher 2019-07-03 11:35:54 UTC
ldb releases are done.
Comment 11 Karolin Seeger 2019-07-03 11:58:22 UTC
(In reply to Stefan Metzmacher from comment #10)
Samba 4.9.11 has been released.
Comment 12 Karolin Seeger 2019-07-03 11:59:24 UTC
Closing out bug report.