CLDAP fixes for: https://fedorahosted.org/freeipa/ticket/3639
Should be pretty straightforward. (pending testing) Alexander, please check they work for your 2012 setup too. Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 1b46d2eba3314dc1cc9ea65bebf5aaa4ba738290 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Thu, 23 May 2013 10:06:22 -0400 Subject: [PATCH 2/2] CLDAP: Return empty reply on non-fatal errors Windows DCs return an empty reply when a legal request cannot satisfied. If we get EINVAL or ENOENT it means the information requested could not be fund or imput parameters were bogus. Always return an empty reply in these cases. On any other internal error just return, the request may have been legit but we can't really handle it right now, pretend we never saw it and hope the next attempt will succeed. Fixes: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <s...@redhat.com> --- daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c index 307110c123c2d898c910371da9ebeb2edfa0f1b5..baa309d8761db5360f7bfe13731857dc2fe49785 100644 --- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c +++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c @@ -264,7 +264,14 @@ static void ipa_cldap_process(struct ipa_cldap_ctx *ctx, LOG_TRACE("CLDAP Request received"); ret = ipa_cldap_netlogon(ctx, req, &reply); - if (ret) { + switch (ret) { + case EINVAL: + case ENOENT: + /* bad request, return empty reply as windows does */ + memset(&reply, 0, sizeof(struct berval)); + break; + default: + /* internal error, just get out */ goto done; } -- 1.8.1.4
>From e9ce2ced13da7801065f57f244becfd4f8a1ab03 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Thu, 23 May 2013 10:04:11 -0400 Subject: [PATCH 1/2] CLDAP: Fix domain handling in netlogon requests 1. Stop using getdomainname() as it is often not properly initialized 2. The code using getdomainname() was not working anyway it was trying to look at the function call output in hostname which is always empty at that point. 3. Always check the requested domain matches our own, we cannot reply to anything else anyway. Pre-requisite to fix: https://fedorahosted.org/freeipa/ticket/3639 Signed-off-by: Simo Sorce <s...@redhat.com> --- .../ipa-cldap/ipa_cldap_netlogon.c | 83 ++++++++++++---------- 1 file changed, 47 insertions(+), 36 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c index 180a067ff8d95f984bd91233f5fb5811c9e140b5..dda933d6d4df4f95c9b70f1bd62c329c788c3a6f 100644 --- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c +++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c @@ -215,14 +215,14 @@ int ipa_cldap_netlogon(struct ipa_cldap_ctx *ctx, struct berval *reply) { char hostname[MAXHOSTNAMELEN + 1]; /* NOTE: lenght hardcoded in kernel */ - char domname[MAXHOSTNAMELEN + 1]; /* NOTE: lenght hardcoded in kernel */ + char *host = NULL; char *domain = NULL; char *guid = NULL; char *sid = NULL; char *name = NULL; uint32_t ntver = 0; uint32_t t; - char *p; + char *dot; int ret; int len; int i; @@ -295,52 +295,63 @@ int ipa_cldap_netlogon(struct ipa_cldap_ctx *ctx, goto done; } - /* If no domain is provide the client is asking for our own domain, - * read our own domain name from the system */ - if (!domain) { - ret = getdomainname(domname, MAXHOSTNAMELEN); - if (ret == -1) { - ret = errno; - goto done; - } - domname[MAXHOSTNAMELEN] = '\0'; - p = strchr(hostname, '.'); - if (p) { - domain = strdup(p + 1); - if (!domain) { - ret = ENOMEM; - goto done; - } - } - } - - /* FIXME: we support only NETLOGON_NT_VERSION_5EX for now */ - if (!(ntver & NETLOGON_NT_VERSION_5EX)) { - ret = EINVAL; - goto done; - } - - ret = ipa_cldap_get_domain_entry(ctx, domain, &guid, &sid, &name); - if (ret) { - goto done; - } - + /* TODO: get our own domain at plugin initialization, and avoid + * gethostname() */ ret = gethostname(hostname, MAXHOSTNAMELEN); if (ret == -1) { ret = errno; goto done; } + /* Make double sure it is terminated */ hostname[MAXHOSTNAMELEN] = '\0'; - p = strchr(hostname, '.'); - if (p) { - *p = '\0'; + dot = strchr(hostname, '.'); + if (!dot) { + /* this name is not fully qualified, therefore invalid */ + ret = EINVAL; + goto done; } + *dot = '\0'; - ret = ipa_cldap_encode_netlogon(hostname, domain, + /* this is the unqualified host name */ + host = strdup(hostname); + if (!host) { + ret = ENOMEM; + goto done; + } + + /* If a domain is provided, check it is our own. + * If no domain is provided the client is asking for our own domain. */ + if (domain) { + ret = strcasecmp(domain, dot + 1); + if (ret != 0) { + ret = EINVAL; + goto done; + } + } else { + domain = strdup(dot + 1); + if (!domain) { + ret = ENOMEM; + goto done; + } + } + + /* FIXME: we support only NETLOGON_NT_VERSION_5EX for now */ + if (!(ntver & NETLOGON_NT_VERSION_5EX)) { + ret = EINVAL; + goto done; + } + + ret = ipa_cldap_get_domain_entry(ctx, domain, &guid, &sid, &name); + if (ret) { + goto done; + } + + ret = ipa_cldap_encode_netlogon(host, domain, guid, sid, name, ntver, reply); done: + free(host); free(domain); free(guid); free(sid); -- 1.8.1.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
