|
|
43209f |
From 0a0d0f66409eb83e06b7dc50543c2f6c15a36bc4 Mon Sep 17 00:00:00 2001
|
|
|
43209f |
From: Alexey A Nikitin <nikitin@amazon.com>
|
|
|
43209f |
Date: Mon, 29 Oct 2018 20:40:36 -0700
|
|
|
43209f |
Subject: [PATCH] Make 'adcli info' DC location mechanism more compliant with
|
|
|
43209f |
[MS-ADTS] and [MS-NRPC]
|
|
|
43209f |
|
|
|
43209f |
AD specifications say that DC locator must attempt to find a suitable DC for the client. That means going through all of the DCs in SRV RRs one by one until one of them answers.
|
|
|
43209f |
|
|
|
43209f |
The problem with adcli's original behavior is that it queries only five DCs from SRV, ever. This becomes a problem if for any reason there is a large number of DCs in the domain from which the client cannot get a CLDAP response.
|
|
|
43209f |
---
|
|
|
43209f |
library/addisco.c | 146 +++++++++++++++++++++++++++++-----------------
|
|
|
43209f |
1 file changed, 94 insertions(+), 52 deletions(-)
|
|
|
43209f |
|
|
|
43209f |
diff --git a/library/addisco.c b/library/addisco.c
|
|
|
43209f |
index 8cc5bf0..6e73ead 100644
|
|
|
43209f |
--- a/library/addisco.c
|
|
|
43209f |
+++ b/library/addisco.c
|
|
|
43209f |
@@ -41,8 +41,10 @@
|
|
|
43209f |
#include <string.h>
|
|
|
43209f |
#include <time.h>
|
|
|
43209f |
|
|
|
43209f |
-/* Number of servers to do discovery against */
|
|
|
43209f |
-#define DISCO_COUNT 5
|
|
|
43209f |
+/* Number of servers to do discovery against.
|
|
|
43209f |
+ * For AD DS maximum number of DCs is 1200.
|
|
|
43209f |
+ */
|
|
|
43209f |
+#define DISCO_COUNT 1200
|
|
|
43209f |
|
|
|
43209f |
/* The time period in which to do rapid requests */
|
|
|
43209f |
#define DISCO_FEVER 1
|
|
|
43209f |
@@ -453,6 +455,51 @@ parse_disco (LDAP *ldap,
|
|
|
43209f |
return usability;
|
|
|
43209f |
}
|
|
|
43209f |
|
|
|
43209f |
+static int
|
|
|
43209f |
+ldap_disco_poller (LDAP **ldap,
|
|
|
43209f |
+ LDAPMessage **message,
|
|
|
43209f |
+ adcli_disco **results,
|
|
|
43209f |
+ const char **addrs)
|
|
|
43209f |
+{
|
|
|
43209f |
+ int found = ADCLI_DISCO_UNUSABLE;
|
|
|
43209f |
+ int close_ldap;
|
|
|
43209f |
+ int parsed;
|
|
|
43209f |
+ int ret = 0;
|
|
|
43209f |
+ struct timeval tvpoll = { 0, 0 };
|
|
|
43209f |
+
|
|
|
43209f |
+ switch (ldap_result (*ldap, LDAP_RES_ANY, 1, &tvpoll, message)) {
|
|
|
43209f |
+ case LDAP_RES_SEARCH_ENTRY:
|
|
|
43209f |
+ case LDAP_RES_SEARCH_RESULT:
|
|
|
43209f |
+ parsed = parse_disco (*ldap, *addrs, *message, results);
|
|
|
43209f |
+ if (parsed > found)
|
|
|
43209f |
+ found = parsed;
|
|
|
43209f |
+ ldap_msgfree (*message);
|
|
|
43209f |
+ close_ldap = 1;
|
|
|
43209f |
+ break;
|
|
|
43209f |
+ case -1:
|
|
|
43209f |
+ ldap_get_option (*ldap, LDAP_OPT_RESULT_CODE, &ret;;
|
|
|
43209f |
+ close_ldap = 1;
|
|
|
43209f |
+ break;
|
|
|
43209f |
+ default:
|
|
|
43209f |
+ ldap_msgfree (*message);
|
|
|
43209f |
+ close_ldap = 0;
|
|
|
43209f |
+ break;
|
|
|
43209f |
+ }
|
|
|
43209f |
+
|
|
|
43209f |
+ if (ret != LDAP_SUCCESS) {
|
|
|
43209f |
+ _adcli_ldap_handle_failure (*ldap, ADCLI_ERR_CONFIG,
|
|
|
43209f |
+ "Couldn't perform discovery search");
|
|
|
43209f |
+ }
|
|
|
43209f |
+
|
|
|
43209f |
+ /* Done with this connection */
|
|
|
43209f |
+ if (close_ldap) {
|
|
|
43209f |
+ ldap_unbind_ext_s (*ldap, NULL, NULL);
|
|
|
43209f |
+ *ldap = NULL;
|
|
|
43209f |
+ }
|
|
|
43209f |
+
|
|
|
43209f |
+ return found;
|
|
|
43209f |
+}
|
|
|
43209f |
+
|
|
|
43209f |
static int
|
|
|
43209f |
ldap_disco (const char *domain,
|
|
|
43209f |
srvinfo *srv,
|
|
|
43209f |
@@ -477,6 +524,7 @@ ldap_disco (const char *domain,
|
|
|
43209f |
int num, i;
|
|
|
43209f |
int ret;
|
|
|
43209f |
int have_any = 0;
|
|
|
43209f |
+ struct timeval interval;
|
|
|
43209f |
|
|
|
43209f |
if (domain) {
|
|
|
43209f |
value = _adcli_ldap_escape_filter (domain);
|
|
|
43209f |
@@ -540,7 +588,6 @@ ldap_disco (const char *domain,
|
|
|
43209f |
version = LDAP_VERSION3;
|
|
|
43209f |
ldap_set_option (ldap[num], LDAP_OPT_PROTOCOL_VERSION, &version);
|
|
|
43209f |
ldap_set_option (ldap[num], LDAP_OPT_REFERRALS , 0);
|
|
|
43209f |
- _adcli_info ("Sending netlogon pings to domain controller: %s", url);
|
|
|
43209f |
addrs[num] = srv->hostname;
|
|
|
43209f |
have_any = 1;
|
|
|
43209f |
num++;
|
|
|
43209f |
@@ -555,70 +602,65 @@ ldap_disco (const char *domain,
|
|
|
43209f |
freeaddrinfo (res);
|
|
|
43209f |
}
|
|
|
43209f |
|
|
|
43209f |
- /* Wait for the first response. Poor mans fd watch */
|
|
|
43209f |
- for (started = now = time (NULL);
|
|
|
43209f |
- have_any && found != ADCLI_DISCO_USABLE && now < started + DISCO_TIME;
|
|
|
43209f |
- now = time (NULL)) {
|
|
|
43209f |
+ /* Initial send and short time wait */
|
|
|
43209f |
+ interval.tv_sec = 0;
|
|
|
43209f |
+ for (i = 0; ADCLI_DISCO_UNUSABLE == found && i < num; ++i) {
|
|
|
43209f |
+ int parsed;
|
|
|
43209f |
+
|
|
|
43209f |
+ if (NULL == ldap[i])
|
|
|
43209f |
+ continue;
|
|
|
43209f |
|
|
|
43209f |
- struct timeval tvpoll = { 0, 0 };
|
|
|
43209f |
- struct timeval interval;
|
|
|
43209f |
+ have_any = 1;
|
|
|
43209f |
+ _adcli_info ("Sending NetLogon ping to domain controller: %s", addrs[i]);
|
|
|
43209f |
|
|
|
43209f |
- /* If in the initial period, send feverishly */
|
|
|
43209f |
- if (now < started + DISCO_FEVER) {
|
|
|
43209f |
- interval.tv_sec = 0;
|
|
|
43209f |
- interval.tv_usec = 100 * 1000;
|
|
|
43209f |
+ ret = ldap_search_ext (ldap[i], "", LDAP_SCOPE_BASE,
|
|
|
43209f |
+ filter, attrs, 0, NULL, NULL, NULL,
|
|
|
43209f |
+ -1, &msgidp);
|
|
|
43209f |
+
|
|
|
43209f |
+ if (ret != LDAP_SUCCESS) {
|
|
|
43209f |
+ _adcli_ldap_handle_failure (ldap[i], ADCLI_ERR_CONFIG,
|
|
|
43209f |
+ "Couldn't perform discovery search");
|
|
|
43209f |
+ ldap_unbind_ext_s (ldap[i], NULL, NULL);
|
|
|
43209f |
+ ldap[i] = NULL;
|
|
|
43209f |
+ }
|
|
|
43209f |
+
|
|
|
43209f |
+ /* From https://msdn.microsoft.com/en-us/library/ff718294.aspx first
|
|
|
43209f |
+ * five DCs are given 0.4 seconds timeout, next five are given 0.2
|
|
|
43209f |
+ * seconds, and the rest are given 0.1 seconds
|
|
|
43209f |
+ */
|
|
|
43209f |
+ if (i < 5) {
|
|
|
43209f |
+ interval.tv_usec = 400000;
|
|
|
43209f |
+ } else if (i < 10) {
|
|
|
43209f |
+ interval.tv_usec = 200000;
|
|
|
43209f |
} else {
|
|
|
43209f |
- interval.tv_sec = 1;
|
|
|
43209f |
- interval.tv_usec = 0;
|
|
|
43209f |
+ interval.tv_usec = 100000;
|
|
|
43209f |
}
|
|
|
43209f |
+ select (0, NULL, NULL, NULL, &interval);
|
|
|
43209f |
+
|
|
|
43209f |
+ parsed = ldap_disco_poller (&(ldap[i]), &message, results, &(addrs[i]));
|
|
|
43209f |
+ if (parsed > found)
|
|
|
43209f |
+ found = parsed;
|
|
|
43209f |
+ }
|
|
|
43209f |
+
|
|
|
43209f |
+ /* Wait some more until LDAP timeout (DISCO_TIME) */
|
|
|
43209f |
+ for (started = now = time (NULL);
|
|
|
43209f |
+ have_any && ADCLI_DISCO_UNUSABLE == found && now < started + DISCO_TIME;
|
|
|
43209f |
+ now = time (NULL)) {
|
|
|
43209f |
|
|
|
43209f |
select (0, NULL, NULL, NULL, &interval);
|
|
|
43209f |
|
|
|
43209f |
have_any = 0;
|
|
|
43209f |
- for (i = 0; found != ADCLI_DISCO_USABLE && i < num; i++) {
|
|
|
43209f |
- int close_ldap;
|
|
|
43209f |
+ for (i = 0; ADCLI_DISCO_UNUSABLE == found && i < num; ++i) {
|
|
|
43209f |
int parsed;
|
|
|
43209f |
|
|
|
43209f |
if (ldap[i] == NULL)
|
|
|
43209f |
continue;
|
|
|
43209f |
|
|
|
43209f |
- ret = 0;
|
|
|
43209f |
have_any = 1;
|
|
|
43209f |
- switch (ldap_result (ldap[i], LDAP_RES_ANY, 1, &tvpoll, &message)) {
|
|
|
43209f |
- case LDAP_RES_SEARCH_ENTRY:
|
|
|
43209f |
- case LDAP_RES_SEARCH_RESULT:
|
|
|
43209f |
- parsed = parse_disco (ldap[i], addrs[i], message, results);
|
|
|
43209f |
- if (parsed > found)
|
|
|
43209f |
- found = parsed;
|
|
|
43209f |
- ldap_msgfree (message);
|
|
|
43209f |
- close_ldap = 1;
|
|
|
43209f |
- break;
|
|
|
43209f |
- case 0:
|
|
|
43209f |
- ret = ldap_search_ext (ldap[i], "", LDAP_SCOPE_BASE,
|
|
|
43209f |
- filter, attrs, 0, NULL, NULL, NULL,
|
|
|
43209f |
- -1, &msgidp);
|
|
|
43209f |
- close_ldap = (ret != 0);
|
|
|
43209f |
- break;
|
|
|
43209f |
- case -1:
|
|
|
43209f |
- ldap_get_option (ldap[i], LDAP_OPT_RESULT_CODE, &ret;;
|
|
|
43209f |
- close_ldap = 1;
|
|
|
43209f |
- break;
|
|
|
43209f |
- default:
|
|
|
43209f |
- ldap_msgfree (message);
|
|
|
43209f |
- close_ldap = 0;
|
|
|
43209f |
- break;
|
|
|
43209f |
- }
|
|
|
43209f |
-
|
|
|
43209f |
- if (ret != LDAP_SUCCESS) {
|
|
|
43209f |
- _adcli_ldap_handle_failure (ldap[i], ADCLI_ERR_CONFIG,
|
|
|
43209f |
- "Couldn't perform discovery search");
|
|
|
43209f |
- }
|
|
|
43209f |
|
|
|
43209f |
- /* Done with this connection */
|
|
|
43209f |
- if (close_ldap) {
|
|
|
43209f |
- ldap_unbind_ext_s (ldap[i], NULL, NULL);
|
|
|
43209f |
- ldap[i] = NULL;
|
|
|
43209f |
- }
|
|
|
43209f |
+ parsed = ldap_disco_poller (&(ldap[i]), &message, results, &(addrs[i]));
|
|
|
43209f |
+ if (parsed > found)
|
|
|
43209f |
+ found = parsed;
|
|
|
43209f |
}
|
|
|
43209f |
}
|
|
|
43209f |
|
|
|
43209f |
--
|
|
|
43209f |
2.26.2
|
|
|
43209f |
|