diff options
author | Samuel Cabrero <scabrero@suse.de> | 2022-05-23 14:11:24 +0200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-05-30 10:11:03 +0000 |
commit | c53efe8b48166a9ba7b42f37a7e9e712fba13486 (patch) | |
tree | 75568236fd95ba9db1587c218c9a856d15279c61 | |
parent | 5a4e0a40b424061c1e87028a591dd09578516311 (diff) | |
download | samba-c53efe8b48166a9ba7b42f37a7e9e712fba13486.tar.gz |
s3:libads: Clear previous CLDAP ping flags when reusing the ADS_STRUCT
Before commit 1d066f37b9217a475b6b84a935ad51fbec88fe04, when the LDAP
connection wasn't established yet (ads->ldap.ld == NULL), the
ads_current_time() function always allocated and initialized a new
ADS_STRUCT even when ads->ldap.ss had a good address after having called
ads_find_dc().
After that commit, when the ADS_STRUCT is reused and passed to the
ads_connect() call, ads_try_connect() may fail depending on the
contacted DC because ads->config.flags field can contain the flags
returned by the previous CLDAP call. For example, when having 5 DCs:
* 192.168.101.31 has PDC FSMO role
* 192.168.101.32
* 192.168.101.33
* 192.168.101.34
* 192.168.101.35
$> net ads info -S 192.168.101.35
net_ads_info()
ads_startup_nobind()
ads_startup_int()
ads_init()
ads_connect()
ads_try_connect(192.168.101.35)
check_cldap_reply_required_flags(returned=0xF1FC, required=0x0)
ads_current_time()
ads_connect()
ads_try_connect(192.168.101.35)
check_cldap_reply_required_flags(returned=0xF1FC, required=0xF1FC)
The check_cldap_reply_required_flags() call fails because
ads->config.flags contain the flags returned by the previous CLDAP call,
even when the returned and required values match because they have
different semantics:
if (req_flags & DS_PDC_REQUIRED)
RETURN_ON_FALSE(ret_flags & NBT_SERVER_PDC);
translates to:
if (0xF1FC & 0x80)
RETURN_ON_FALSE(0xF1FC & 0x01);
which returns false because 192.168.101.35 has no PDC FSMO role.
The easiest fix for now is to reset ads->config.flags in
ads_current_time() when reusing an ADS_STRUCT before calling
ads_connect(), but we should consider storing the required and returned
flags in different fields or at least use the same bitmap for them
because check_cldap_reply_required_flags() is checking a
netr_DsRGetDCName_flags value using the nbt_server_type bitmap.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14674
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May 23 19:18:38 UTC 2022 on sn-devel-184
(cherry picked from commit a26f535dedc651afa2a25dd37113ac71787197ff)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Mon May 30 10:11:03 UTC 2022 on sn-devel-184
-rwxr-xr-x | source3/libads/ldap.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 647cdbd0459..6caeebe6037 100755 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -3305,6 +3305,13 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads) goto done; } } + + /* + * Reset ads->config.flags as it can contain the flags + * returned by the previous CLDAP ping when reusing the struct. + */ + ads_s->config.flags = 0; + ads_s->auth.flags = ADS_AUTH_ANON_BIND; status = ads_connect( ads_s ); if ( !ADS_ERR_OK(status)) |