From 16b7ba3488c1207d2229b0b51bfa709b80cf7a1f Mon Sep 17 00:00:00 2001
From: Benjamin Franzke <benjaminfranzke@googlemail.com>
Date: Wed, 30 Oct 2013 11:54:21 +0100
Subject: s4:dsdb/rootdse: Netlogon maybe requested with other attrs

MS AD allows netlogon requests to request other attributes,
as long as the search parameter is correct, e.g:
  ldapsearch -h 192.168.122.2 -x -b '' -s base \
    "(&(NtVer=\06\00\00\00)(AAC=\00\00\00\00))" \
    supportedLDAPPolicies netlogon

This also removes an old check that for requests having a
netlogon attribute returned zero elements.
This is not true, if there is a valid netlogon filter.

This patch is to be squashed into
"s4:dsdb/rootdse: Support netlogon request".
---
 source4/cldap_server/cldap_server.h |  3 ++-
 source4/cldap_server/netlogon.c     | 43 +++++++++++++++++++++++++++++++++++--
 2 files changed, 43 insertions(+), 3 deletions(-)

(limited to 'source4/cldap_server')

diff --git a/source4/cldap_server/cldap_server.h b/source4/cldap_server/cldap_server.h
index 995ceed3a2..181edbd176 100644
--- a/source4/cldap_server/cldap_server.h
+++ b/source4/cldap_server/cldap_server.h
@@ -56,6 +56,7 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree,
 				const char **domain_guid,
 				struct dom_sid **domain_sid,
 				int *acct_control,
-				int *version);
+				int *version,
+				bool filter_from_tree);
 
 #include "cldap_server/proto.h"
diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c
index 0894b2bea7..a5c12df1fb 100644
--- a/source4/cldap_server/netlogon.c
+++ b/source4/cldap_server/netlogon.c
@@ -38,6 +38,7 @@
 #include "../lib/tsocket/tsocket.h"
 #include "libds/common/flag_mapping.h"
 #include "lib/util/util_net.h"
+#include "lib/ldb/include/ldb_module.h"
 
 /*
   fill in the cldap netlogon union for a given version
@@ -369,6 +370,21 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
 	return NT_STATUS_OK;
 }
 
+/*
+  create a always matching node from a equality node
+ */
+static void set_parse_tree_true(struct ldb_parse_tree *tree)
+{
+	const char *attr = tree->u.equality.attr;
+	struct ldb_val value = tree->u.equality.value;
+
+	tree->operation = LDB_OP_EXTENDED;
+	tree->u.extended.attr = attr;
+	tree->u.extended.value = value;
+	tree->u.extended.rule_id = SAMBA_LDAP_MATCH_ALWAYS_TRUE;
+	tree->u.extended.dnAttributes = 0;
+}
+
 NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree,
 				struct loadparm_context *lp_ctx,
 				TALLOC_CTX *tmp_ctx,
@@ -378,7 +394,8 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree,
 				const char **domain_guid,
 				struct dom_sid **domain_sid,
 				int *acct_control,
-				int *version)
+				int *version,
+				bool filter_from_tree)
 {
 	unsigned int i;
 
@@ -400,11 +417,17 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree,
 			*domain = talloc_strndup(tmp_ctx,
 						(const char *)t->u.equality.value.data,
 						t->u.equality.value.length);
+			if (filter_from_tree) {
+				set_parse_tree_true(t);
+			}
 		}
 		if (strcasecmp(t->u.equality.attr, "Host") == 0) {
 			*host = talloc_strndup(tmp_ctx,
 					      (const char *)t->u.equality.value.data,
 					      t->u.equality.value.length);
+			if (filter_from_tree) {
+				set_parse_tree_true(t);
+			}
 		}
 		if (strcasecmp(t->u.equality.attr, "DomainGuid") == 0) {
 			NTSTATUS enc_status;
@@ -413,6 +436,9 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree,
 							  t->u.equality.value, &guid);
 			if (NT_STATUS_IS_OK(enc_status)) {
 				*domain_guid = GUID_string(tmp_ctx, &guid);
+				if (filter_from_tree) {
+					set_parse_tree_true(t);
+				}
 			}
 		}
 		if (strcasecmp(t->u.equality.attr, "DomainSid") == 0) {
@@ -429,19 +455,31 @@ NTSTATUS parse_netlogon_request(struct ldb_parse_tree *tree,
 				talloc_free(*domain_sid);
 				goto failed;
 			}
+			if (filter_from_tree) {
+				set_parse_tree_true(t);
+			}
 		}
 		if (strcasecmp(t->u.equality.attr, "User") == 0) {
 			*user = talloc_strndup(tmp_ctx,
 					       (const char *)t->u.equality.value.data,
 					       t->u.equality.value.length);
+			if (filter_from_tree) {
+				set_parse_tree_true(t);
+			}
 		}
 		if (strcasecmp(t->u.equality.attr, "NtVer") == 0 &&
 		    t->u.equality.value.length == 4) {
 			*version = IVAL(t->u.equality.value.data, 0);
+			if (filter_from_tree) {
+				set_parse_tree_true(t);
+			}
 		}
 		if (strcasecmp(t->u.equality.attr, "AAC") == 0 &&
 		    t->u.equality.value.length == 4) {
 			*acct_control = IVAL(t->u.equality.value.data, 0);
+			if (filter_from_tree) {
+				set_parse_tree_true(t);
+			}
 		}
 	}
 
@@ -480,7 +518,8 @@ void cldapd_netlogon_request(struct cldap_socket *cldap,
 
 	status = parse_netlogon_request(tree, cldapd->task->lp_ctx, tmp_ctx,
 					&domain, &host, &user, &domain_guid,
-					&domain_sid, &acct_control, &version);
+					&domain_sid, &acct_control, &version,
+					false);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto failed;
 	}
-- 
cgit