From 16b7ba3488c1207d2229b0b51bfa709b80cf7a1f Mon Sep 17 00:00:00 2001 From: Benjamin Franzke Date: Wed, 30 Oct 2013 11:54:21 +0100 Subject: s4:dsdb/rootdse: Netlogon maybe requested with other attrs MS AD allows netlogon requests to request other attributes, as long as the search parameter is correct, e.g: ldapsearch -h 192.168.122.2 -x -b '' -s base \ "(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00))" \ supportedLDAPPolicies netlogon This also removes an old check that for requests having a netlogon attribute returned zero elements. This is not true, if there is a valid netlogon filter. This patch is to be squashed into "s4:dsdb/rootdse: Support netlogon request". --- source4/cldap_server/cldap_server.h | 3 ++- source4/cldap_server/netlogon.c | 43 +++++++++++++++++++++++++++++++++++-- 2 files changed, 43 insertions(+), 3 deletions(-) (limited to 'source4/cldap_server') diff --git a/source4/cldap_server/cldap_server.h b/source4/cldap_server/cldap_server.h index 995ceed3a2..181edbd176 100644 --- a/source4/cldap_server/cldap_server.h +++ b/source4/cldap_server/cldap_server.h @@ -56,6 +56,7 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree, const char **domain_guid, struct dom_sid **domain_sid, int *acct_control, - int *version); + int *version, + bool filter_from_tree); #include "cldap_server/proto.h" diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c index 0894b2bea7..a5c12df1fb 100644 --- a/source4/cldap_server/netlogon.c +++ b/source4/cldap_server/netlogon.c @@ -38,6 +38,7 @@ #include "../lib/tsocket/tsocket.h" #include "libds/common/flag_mapping.h" #include "lib/util/util_net.h" +#include "lib/ldb/include/ldb_module.h" /* fill in the cldap netlogon union for a given version @@ -369,6 +370,21 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx, return NT_STATUS_OK; } +/* + create a always matching node from a equality node + */ +static void set_parse_tree_true(struct ldb_parse_tree *tree) +{ + const char *attr = tree->u.equality.attr; + struct ldb_val value = tree->u.equality.value; + + tree->operation = LDB_OP_EXTENDED; + tree->u.extended.attr = attr; + tree->u.extended.value = value; + tree->u.extended.rule_id = SAMBA_LDAP_MATCH_ALWAYS_TRUE; + tree->u.extended.dnAttributes = 0; +} + NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree, struct loadparm_context *lp_ctx, TALLOC_CTX *tmp_ctx, @@ -378,7 +394,8 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree, const char **domain_guid, struct dom_sid **domain_sid, int *acct_control, - int *version) + int *version, + bool filter_from_tree) { unsigned int i; @@ -400,11 +417,17 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree, *domain = talloc_strndup(tmp_ctx, (const char *)t->u.equality.value.data, t->u.equality.value.length); + if (filter_from_tree) { + set_parse_tree_true(t); + } } if (strcasecmp(t->u.equality.attr, "Host") == 0) { *host = talloc_strndup(tmp_ctx, (const char *)t->u.equality.value.data, t->u.equality.value.length); + if (filter_from_tree) { + set_parse_tree_true(t); + } } if (strcasecmp(t->u.equality.attr, "DomainGuid") == 0) { NTSTATUS enc_status; @@ -413,6 +436,9 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree, t->u.equality.value, &guid); if (NT_STATUS_IS_OK(enc_status)) { *domain_guid = GUID_string(tmp_ctx, &guid); + if (filter_from_tree) { + set_parse_tree_true(t); + } } } if (strcasecmp(t->u.equality.attr, "DomainSid") == 0) { @@ -429,19 +455,31 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree, talloc_free(*domain_sid); goto failed; } + if (filter_from_tree) { + set_parse_tree_true(t); + } } if (strcasecmp(t->u.equality.attr, "User") == 0) { *user = talloc_strndup(tmp_ctx, (const char *)t->u.equality.value.data, t->u.equality.value.length); + if (filter_from_tree) { + set_parse_tree_true(t); + } } if (strcasecmp(t->u.equality.attr, "NtVer") == 0 && t->u.equality.value.length == 4) { *version = IVAL(t->u.equality.value.data, 0); + if (filter_from_tree) { + set_parse_tree_true(t); + } } if (strcasecmp(t->u.equality.attr, "AAC") == 0 && t->u.equality.value.length == 4) { *acct_control = IVAL(t->u.equality.value.data, 0); + if (filter_from_tree) { + set_parse_tree_true(t); + } } } @@ -480,7 +518,8 @@ void cldapd_netlogon_request(struct cldap_socket *cldap, status = parse_netlogon_request(tree, cldapd->task->lp_ctx, tmp_ctx, &domain, &host, &user, &domain_guid, - &domain_sid, &acct_control, &version); + &domain_sid, &acct_control, &version, + false); if (!NT_STATUS_IS_OK(status)) { goto failed; } -- cgit