Bug 967870
Summary: | Inconsistent replies from FreeIPA to Netlogon ping queries | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 6.6 | CC: | abokovoy, lnovich, mkosek, rcritten, rmeggins, sbose, sgoveas, ssorce, stefw |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.0.0-31.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: Identity Management server with Active Directory integration support configured replies differently from to NetLogon queries compared to Active Directory.
Consequence: Unlike Active Directory at least the following differences in behavior are present:
* No response to NetLogon query when querying over TCP based LDAP
* Does not response when DnsDomain is not present in query.
* Does not return a LDAP_RES_SEARCH_RESULT to sender when query does not match, just hangs.
These differences may cause errors in tools sending the NetLogon queries.
Fix: Fix the NetLogon query responder.
Result: The above mentioned issues in NetLogon replies are no longer present.
|
Story Points: | --- |
Clone Of: | 967869 | Environment: | |
Last Closed: | 2013-11-21 20:53:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 966504, 967869, 970024 | ||
Bug Blocks: |
Description
Dmitri Pal
2013-05-28 12:57:01 UTC
Fixed upstream: master: 1e224c2ea021f546aea83d56779268ca2e099c89 CLDAP: Return empty reply on non-fatal errors b402b6d553bc4b19697bdcc7dab30cbc18971e28 CLDAP: Fix domain handling in netlogon requests ipa-3-2: 2dd96732e157200742f45b42b9d932aa499a656a CLDAP: Return empty reply on non-fatal errors c5d3f984216a3ee96c62bd1f0dcfc60fe80b34fa CLDAP: Fix domain handling in netlogon requests ipa-3-1: 1657b1ed6c8c57638162f825d43fc684237f382f CLDAP: Return empty reply on non-fatal errors 2d6eb08c835e38d5b1d5142e0c19007018d1e719 CLDAP: Fix domain handling in netlogon requests Additional fix upstream to avoid hang when just one CLDAP query filter component is used: master: https://fedorahosted.org/freeipa/changeset/b21abc76caac8b251f708e77da7c8c7046fa22a7 ipa-3-2: https://fedorahosted.org/freeipa/changeset/848f4bc16d6d253045265f71669f6346819f4108 ipa-3-1: https://fedorahosted.org/freeipa/changeset/4f8cce7ba114cc13aceecfab3420c63cb26342fa Verified in version [root@dhcp207-85 ~]# rpm -q ipa-server ipa-server-3.0.0-37.el6.x86_64 * ipa-adtrust-install to activate the CLDAP plugin of the directory server [root@dhcp207-85 ~]# ipa-adtrust-install -a Secret123 --netbios-name TESTRELM -U * Successful query with DnsDomain [root@dhcp207-85 ~]# ldapsearch -LL -H cldap://dhcp207-85.testrelm.com -b "" -s base '(&(DnsDomain=testrelm.com)(NtVer=\06\00\00\00))' NetLogon version: 1 dn: netlogon:: FwAAAP0DAABzhtTFRu+nTqARu8fDKlvQCHRlc3RyZWxtA2NvbQDAGApkaGNwMjA3LTg 1wBgIVEVTVFJFTE0ADFxcREhDUDIwNy04NQAAF0RlZmF1bHQtRmlyc3QtU2l0ZS1OYW1lAMBOEAIA AAB/AAABAAAAAAAAAAAABQAAAP////8= * Successful query against IPA without DnsDomain and does not hang [root@dhcp207-85 ~]# ldapsearch -LL -H cldap://dhcp207-85.testrelm.com -b "" -s base '(&(NtVer=\06\00\00\00))' NetLogon version: 1 dn: netlogon:: FwAAAP0DAABzhtTFRu+nTqARu8fDKlvQCHRlc3RyZWxtA2NvbQDAGApkaGNwMjA3LTg 1wBgIVEVTVFJFTE0ADFxcREhDUDIwNy04NQAAF0RlZmF1bHQtRmlyc3QtU2l0ZS1OYW1lAMBOEAIA AAB/AAABAAAAAAAAAAAABQAAAP////8= * Query with invalid DnsDomain, does not hang [root@dhcp207-85 ~]# ldapsearch -LL -H cldap://dhcp207-85.testrelm.com -b "" -s base '(&(DnsDomain=blah.com))' NetLogon version: 1 [root@dhcp207-85 ~]# * Does not hang on LDAP from IPA to query that was successful via CLDAP [root@dhcp207-85 ~]# ldapsearch -LL -x -H ldap://dhcp207-85.testrelm.com -w Secret123 -b "" -s base '(&(DnsDomain=testrelm.com)(NtVer=\06\00\00\00))' NetLogon version: 1 [root@dhcp207-85 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1651.html |