diff options
| author | Benjamin Franzke <benjaminfranzke@googlemail.com> | 2013-10-30 11:54:21 +0100 |
|---|---|---|
| committer | Benjamin Franzke <benjaminfranzke@googlemail.com> | 2013-11-01 07:01:39 +0100 |
| commit | 16b7ba3488c1207d2229b0b51bfa709b80cf7a1f (patch) | |
| tree | 2715acdd77feef5f134e668fbd7ca92cecda604c /source4/cldap_server | |
| parent | 1a540680a6550f9b0938dd9c39a7558d8e578511 (diff) | |
| download | samba-16b7ba3488c1207d2229b0b51bfa709b80cf7a1f.tar.gz samba-16b7ba3488c1207d2229b0b51bfa709b80cf7a1f.tar.bz2 samba-16b7ba3488c1207d2229b0b51bfa709b80cf7a1f.zip | |
s4:dsdb/rootdse: Netlogon maybe requested with other attrs
MS AD allows netlogon requests to request other attributes,
as long as the search parameter is correct, e.g:
ldapsearch -h 192.168.122.2 -x -b '' -s base \
"(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00))" \
supportedLDAPPolicies netlogon
This also removes an old check that for requests having a
netlogon attribute returned zero elements.
This is not true, if there is a valid netlogon filter.
This patch is to be squashed into
"s4:dsdb/rootdse: Support netlogon request".
Diffstat (limited to 'source4/cldap_server')
| -rw-r--r-- | source4/cldap_server/cldap_server.h | 3 | ||||
| -rw-r--r-- | source4/cldap_server/netlogon.c | 43 |
2 files changed, 43 insertions, 3 deletions
diff --git a/source4/cldap_server/cldap_server.h b/source4/cldap_server/cldap_server.h index 995ceed3a2..181edbd176 100644 --- a/source4/cldap_server/cldap_server.h +++ b/source4/cldap_server/cldap_server.h @@ -56,6 +56,7 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree, const char **domain_guid, struct dom_sid **domain_sid, int *acct_control, - int *version); + int *version, + bool filter_from_tree); #include "cldap_server/proto.h" diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c index 0894b2bea7..a5c12df1fb 100644 --- a/source4/cldap_server/netlogon.c +++ b/source4/cldap_server/netlogon.c @@ -38,6 +38,7 @@ #include "../lib/tsocket/tsocket.h" #include "libds/common/flag_mapping.h" #include "lib/util/util_net.h" +#include "lib/ldb/include/ldb_module.h" /* fill in the cldap netlogon union for a given version @@ -369,6 +370,21 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, return NT_STATUS_OK; } +/* + create a always matching node from a equality node + */ +static void set_parse_tree_true(struct ldb_parse_tree *tree) +{ + const char *attr = tree->u.equality.attr; + struct ldb_val value = tree->u.equality.value; + + tree->operation = LDB_OP_EXTENDED; + tree->u.extended.attr = attr; + tree->u.extended.value = value; + tree->u.extended.rule_id = SAMBA_LDAP_MATCH_ALWAYS_TRUE; + tree->u.extended.dnAttributes = 0; +} + NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree, struct loadparm_context *lp_ctx, TALLOC_CTX *tmp_ctx, @@ -378,7 +394,8 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree, const char **domain_guid, struct dom_sid **domain_sid, int *acct_control, - int *version) + int *version, + bool filter_from_tree) { unsigned int i; @@ -400,11 +417,17 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree, *domain = talloc_strndup(tmp_ctx, (const char *)t->u.equality.value.data, t->u.equality.value.length); + if (filter_from_tree) { + set_parse_tree_true(t); + } } if (strcasecmp(t->u.equality.attr, "Host") == 0) { *host = talloc_strndup(tmp_ctx, (const char *)t->u.equality.value.data, t->u.equality.value.length); + if (filter_from_tree) { + set_parse_tree_true(t); + } } if (strcasecmp(t->u.equality.attr, "DomainGuid") == 0) { NTSTATUS enc_status; @@ -413,6 +436,9 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree, t->u.equality.value, &guid); if (NT_STATUS_IS_OK(enc_status)) { *domain_guid = GUID_string(tmp_ctx, &guid); + if (filter_from_tree) { + set_parse_tree_true(t); + } } } if (strcasecmp(t->u.equality.attr, "DomainSid") == 0) { @@ -429,19 +455,31 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree, talloc_free(*domain_sid); goto failed; } + if (filter_from_tree) { + set_parse_tree_true(t); + } } if (strcasecmp(t->u.equality.attr, "User") == 0) { *user = talloc_strndup(tmp_ctx, (const char *)t->u.equality.value.data, t->u.equality.value.length); + if (filter_from_tree) { + set_parse_tree_true(t); + } } if (strcasecmp(t->u.equality.attr, "NtVer") == 0 && t->u.equality.value.length == 4) { *version = IVAL(t->u.equality.value.data, 0); + if (filter_from_tree) { + set_parse_tree_true(t); + } } if (strcasecmp(t->u.equality.attr, "AAC") == 0 && t->u.equality.value.length == 4) { *acct_control = IVAL(t->u.equality.value.data, 0); + if (filter_from_tree) { + set_parse_tree_true(t); + } } } @@ -480,7 +518,8 @@ void cldapd_netlogon_request(struct cldap_socket *cldap, status = parse_netlogon_request(tree, cldapd->task->lp_ctx, tmp_ctx, &domain, &host, &user, &domain_guid, - &domain_sid, &acct_control, &version); + &domain_sid, &acct_control, &version, + false); if (!NT_STATUS_IS_OK(status)) { goto failed; } |