Project

General

Profile

Feature #6442

DC Locator compatibility with older AD servers

Added by Gordon Ross over 5 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
cifs - CIFS server and client
Start date:
2015-11-06
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

The DC Locator code uses a connection-less LDAP (CLDAP) request to get information from a candidate AD server, as specified in [MS-ADTS] sec. 6.3.3.
The "NtVer=4" part of the request specifies which versions of response we're prepared to accept.
The value 4 above is really a bit mask:
NETLOGON_NT_VERSION_5EX (0x00000004)
That bit says we want a response of the form:
NETLOGON_SAM_LOGON_RESPONSE_EX
That's the only response format we currently support.
Some servers fail to respond to that CLDAP request because they expect "NtVer=6".
(Demanding that value is a bug on the LDAP server side.)

Be that as it may, we could extend our support to query for either 5 or 5EX.
That would mean setting the NtVer mask to these two bits:
NETLOGON_NT_VERSION_5 (0x00000002)
NETLOGON_NT_VERSION_5EX (0x00000004)
By my reading of the spec, that tells the AD server that we'll
accept either of these response formats:
NETLOGON_SAM_LOGON_RESPONSE
NETLOGON_SAM_LOGON_RESPONSE_EX
Determining which format we've received is a little tricky, but possible as follows: Both formats end with these three elements:
NtVersion (4 bytes): This tells us which format we have.
LmNtToken (2 bytes): Always 0xFFFF.
Lm20Token (2 bytes): Always 0xFFFF.
Therefore, we can parse the 4-byte version word starting 8-bytes before the end of the message. It that version word has the NETLOGON_NT_VERSION_5EX bit set, the message uses format NETLOGON_SAM_LOGON_RESPONSE_EX (the one we already handle). If the version word has the NETLOGON_NT_VERSION_5 bit set, the message uses format NETLOGON_SAM_LOGON_RESPONSE.
If neither bit is set, this response should be discarded.
The code to determine the version and then conditionally parse the (older) NETLOGON_SAM_LOGON_RESPONSE needs to be implemented.

Steps to Reproduce:
Testing this will also be tricky. I suggest making the "NtVer" we send a variable we can adjust. (ldap_ping_req_vers?) For testing (only) set ldap_ping_req_vers=2 (so we tell servers we only support the older
format response) and verify the new parsing code works.
The test program usr/bin/test-getdc (which lives only in the proto area) can be used to facilitate tests.

Expected Results:
Should be able to parse both LDAP ping response types:
NETLOGON_SAM_LOGON_RESPONSE_EX
NETLOGON_SAM_LOGON_RESPONSE

Actual Results:
We only handle the LDAP ping response type:
NETLOGON_SAM_LOGON_RESPONSE_EX

#1

Updated by Gordon Ross over 5 years ago

Might also consider using the smb_msgbuf code to parse the NETLOGON_SAM_LOGON_RESPONSE or NETLOGON_SAM_LOGON_RESPONSE_EX response.
Should be quite a bit simpler than the by-hand parsing code in cldap_parse().
It would probably require adding $SRC/common/smbsrv/smb_msgbuf.c to libadutils (and maybe smb_utf8.c which I think that depends upon) but I think that would be OK.

Also available in: Atom PDF