DC Locator compatibility with older AD servers
The DC Locator code uses a connection-less LDAP (CLDAP) request to get information from a candidate AD server, as specified in [MS-ADTS] sec. 6.3.3.
The "NtVer=4" part of the request specifies which versions of response we're prepared to accept.
The value 4 above is really a bit mask:
That bit says we want a response of the form:
That's the only response format we currently support.
Some servers fail to respond to that CLDAP request because they expect "NtVer=6".
(Demanding that value is a bug on the LDAP server side.)
Be that as it may, we could extend our support to query for either 5 or 5EX.
That would mean setting the NtVer mask to these two bits:
By my reading of the spec, that tells the AD server that we'll
accept either of these response formats:
Determining which format we've received is a little tricky, but possible as follows: Both formats end with these three elements:
NtVersion (4 bytes): This tells us which format we have.
LmNtToken (2 bytes): Always 0xFFFF.
Lm20Token (2 bytes): Always 0xFFFF.
Therefore, we can parse the 4-byte version word starting 8-bytes before the end of the message. It that version word has the NETLOGON_NT_VERSION_5EX bit set, the message uses format NETLOGON_SAM_LOGON_RESPONSE_EX (the one we already handle). If the version word has the NETLOGON_NT_VERSION_5 bit set, the message uses format NETLOGON_SAM_LOGON_RESPONSE.
If neither bit is set, this response should be discarded.
The code to determine the version and then conditionally parse the (older) NETLOGON_SAM_LOGON_RESPONSE needs to be implemented.
Steps to Reproduce:
Testing this will also be tricky. I suggest making the "NtVer" we send a variable we can adjust. (ldap_ping_req_vers?) For testing (only) set ldap_ping_req_vers=2 (so we tell servers we only support the older
format response) and verify the new parsing code works.
The test program usr/bin/test-getdc (which lives only in the proto area) can be used to facilitate tests.
Should be able to parse both LDAP ping response types:
We only handle the LDAP ping response type:
Updated by Gordon Ross over 5 years ago
Might also consider using the smb_msgbuf code to parse the NETLOGON_SAM_LOGON_RESPONSE or NETLOGON_SAM_LOGON_RESPONSE_EX response.
Should be quite a bit simpler than the by-hand parsing code in cldap_parse().
It would probably require adding $SRC/common/smbsrv/smb_msgbuf.c to libadutils (and maybe smb_utf8.c which I think that depends upon) but I think that would be OK.