summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
authorBenjamin Franzke <benjaminfranzke@googlemail.com>2013-10-30 11:54:21 +0100
committerBenjamin Franzke <benjaminfranzke@googlemail.com>2013-11-01 07:01:39 +0100
commit16b7ba3488c1207d2229b0b51bfa709b80cf7a1f (patch)
tree2715acdd77feef5f134e668fbd7ca92cecda604c /source4/dsdb
parent1a540680a6550f9b0938dd9c39a7558d8e578511 (diff)
downloadsamba-16b7ba3488c1207d2229b0b51bfa709b80cf7a1f.tar.gz
samba-16b7ba3488c1207d2229b0b51bfa709b80cf7a1f.tar.bz2
samba-16b7ba3488c1207d2229b0b51bfa709b80cf7a1f.zip
s4:dsdb/rootdse: Netlogon maybe requested with other attrs
MS AD allows netlogon requests to request other attributes, as long as the search parameter is correct, e.g: ldapsearch -h 192.168.122.2 -x -b '' -s base \ "(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00))" \ supportedLDAPPolicies netlogon This also removes an old check that for requests having a netlogon attribute returned zero elements. This is not true, if there is a valid netlogon filter. This patch is to be squashed into "s4:dsdb/rootdse: Support netlogon request".
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/rootdse.c101
1 files changed, 38 insertions, 63 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index baffd1766c..3ec6248302 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -45,6 +45,12 @@ struct private_data {
bool block_anonymous;
};
+struct rootdse_context {
+ struct ldb_module *module;
+ struct ldb_request *req;
+ struct ldb_val netlogon;
+};
+
/*
return 1 if a specific attribute has been requested
*/
@@ -556,11 +562,6 @@ failed:
handle search requests
*/
-struct rootdse_context {
- struct ldb_module *module;
- struct ldb_request *req;
-};
-
static struct rootdse_context *rootdse_init_context(struct ldb_module *module,
struct ldb_request *req)
{
@@ -599,16 +600,6 @@ static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares)
switch (ares->type) {
case LDB_REPLY_ENTRY:
- /*
- * if the client explicit asks for the 'netlogon' attribute
- * the reply_entry needs to be skipped
- */
- if (ac->req->op.search.attrs &&
- ldb_attr_in_list(ac->req->op.search.attrs, "netlogon")) {
- talloc_free(ares);
- return LDB_SUCCESS;
- }
-
/* for each record returned post-process to add any dynamic
attributes that have been asked for */
ret = rootdse_add_dynamic(ac, ares->message,
@@ -618,6 +609,17 @@ static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares)
return ldb_module_done(ac->req, NULL, NULL, ret);
}
+ /* This should of cause be in rootdse_add_dynamic,
+ * but therefore we need ac there. */
+ if (ac->netlogon.length > 0) {
+ ret = ldb_msg_add_value(ares->message, "netlogon",
+ &ac->netlogon, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+
+
return ldb_module_send_entry(ac->req, ares->message, ares->controls);
case LDB_REPLY_REFERRAL:
@@ -760,9 +762,7 @@ static int rootdse_handle_netlogon(struct rootdse_context *ac)
int version = -1;
NTSTATUS status;
struct netlogon_samlogon_response netlogon;
- struct ldb_message *msg = NULL;
- int ret, error = LDB_ERR_OPERATIONS_ERROR;
- struct ldb_val blob;
+ int ret = LDB_SUCCESS;
ldb = ldb_module_get_ctx(ac->module);
tree = ac->req->op.search.tree;
@@ -774,9 +774,12 @@ static int rootdse_handle_netlogon(struct rootdse_context *ac)
status = parse_netlogon_request(tree, lp_ctx, tmp_ctx,
&domain, &host, &user, &domain_guid,
- &domain_sid, &acct_control, &version);
+ &domain_sid, &acct_control, &version,
+ true);
if (!NT_STATUS_IS_OK(status)) {
- goto failed;
+ /* We have to return an empty search if the filter
+ * does not match, no an error. */
+ goto done;
}
status = fill_netlogon_samlogon_response(ldb, tmp_ctx,
@@ -787,50 +790,19 @@ static int rootdse_handle_netlogon(struct rootdse_context *ac)
version, lp_ctx,
&netlogon, false);
if (!NT_STATUS_IS_OK(status)) {
- goto failed;
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto done;
}
- status = push_netlogon_samlogon_response(&blob, tmp_ctx, &netlogon);
+ status = push_netlogon_samlogon_response(&ac->netlogon, ac, &netlogon);
if (!NT_STATUS_IS_OK(status)) {
- goto failed;
- }
-
- msg = ldb_msg_new(tmp_ctx);
- if (!msg) {
- error = ldb_oom(ldb);
- goto failed;
- }
-
- msg->dn = ldb_dn_new(msg, ldb, "");
- if (!msg->dn) {
- error = ldb_oom(ldb);
- goto failed;
- }
-
- ret = ldb_msg_add_value(msg, "netlogon", &blob, NULL);
- if (ret != LDB_SUCCESS) {
- error = ret;
- goto failed;
- }
-
- ret = ldb_module_send_entry(ac->req, msg, NULL);
- if (ret != LDB_SUCCESS) {
- error = ret;
- goto failed;
- }
-
- ret = ldb_module_done(ac->req, NULL, NULL, LDB_SUCCESS);
- if (ret != LDB_SUCCESS) {
- error = ret;
- goto failed;
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto done;
}
+done:
talloc_free(tmp_ctx);
- return LDB_SUCCESS;
-
-failed:
- talloc_free(tmp_ctx);
- return ldb_module_done(ac->req, NULL, NULL, error);
+ return ret;
}
static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
@@ -863,11 +835,14 @@ static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
return ldb_operr(ldb);
}
- if (req->op.search.attrs &&
- req->op.search.attrs[0] &&
- req->op.search.attrs[1] == NULL &&
- ldb_attr_cmp(req->op.search.attrs[0], "netlogon") == 0) {
- return rootdse_handle_netlogon(ac);
+ if (do_attribute_explicit(req->op.search.attrs, "netlogon")) {
+ ret = rootdse_handle_netlogon(ac);
+ /* Finish with an empty reply here, either if:
+ * - An error was returned, or
+ * - No valid netlogon generated (i.e filter didn't match). */
+ if (ret != LDB_SUCCESS || ac->netlogon.length == 0) {
+ return ldb_module_done(ac->req, NULL, NULL, ret);
+ }
}
/* in our db we store the rootDSE with a DN of @ROOTDSE */