> This appears to affect adcli version 0.9.1-1ubuntu2 that comes with Ubuntu 22.04 LTS, as an
> attempt on Ubuntu 20.04 LTS (with adcli version 0.9.0-1ubuntu0.20.04.1) works as-expected.
Turns out focal is also affected, but you didn't capture it in your network sniffer, or by the iptables block, because in focal openldap has CLDAP support (connection-less ldap), which means said NetLogon ping happens via UDP:
root@f-adcli-realmd:~# adcli join --verbose --use-ldaps INTERNAL.EXAMPLE.FAKE
* Using domain name: INTERNAL.EXAMPLE.FAKE
* Calculated computer account name from fqdn: F-ADCLI-REALMD
* Calculated domain realm from name: INTERNAL.EXAMPLE.FAKE
* Discovering domain controllers: _ldap._tcp.INTERNAL.EXAMPLE.FAKE
* Sending NetLogon ping to domain controller: win-kriet1e5elo.internal.example.fake
* Received NetLogon info from: WIN-KRIET1E5ELO.internal.example.fake
* Using LDAPS to connect to win-kriet1e5elo.internal.example.fake
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-6keyvY/krb5.d/adcli-krb5-conf-0PSljW
! Couldn't authenticate as machine account: F-ADCLI-REALMD: Client 'F-ADCLI-REALMD$@INTERNAL.EXAMPLE.FAKE' not found in Kerberos database
Password for <email address hidden>:
root@f-adcli-realmd:~# tcpdump -i any -n -p port 389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
20:22:52.902443 IP 10.0.16.12.56068 > 10.0.16.5.389: UDP, length 89
20:22:52.902920 IP 10.0.16.5.389 > 10.0.16.12.56068: UDP, length 205
I will file an issue with adcli upstream, because it will fallback[1] to "ldap" (instead of "ldaps" if --use-ldaps was given) if CLDAP is not supported.
For what is worth, the NetLogon ping/discovery is this type of query, and it seems to work fine via ldaps:
> This appears to affect adcli version 0.9.1-1ubuntu2 that comes with Ubuntu 22.04 LTS, as an 20.04.1) works as-expected.
> attempt on Ubuntu 20.04 LTS (with adcli version 0.9.0-1ubuntu0.
Turns out focal is also affected, but you didn't capture it in your network sniffer, or by the iptables block, because in focal openldap has CLDAP support (connection-less ldap), which means said NetLogon ping happens via UDP:
root@f- adcli-realmd: ~# adcli join --verbose --use-ldaps INTERNAL. EXAMPLE. FAKE EXAMPLE. FAKE EXAMPLE. FAKE tcp.INTERNAL. EXAMPLE. FAKE .internal. example. fake .internal. example. fake .internal. example. fake krb5-6keyvY/ krb5.d/ adcli-krb5- conf-0PSljW REALMD$ @INTERNAL. EXAMPLE. FAKE' not found in Kerberos database
* Using domain name: INTERNAL.
* Calculated computer account name from fqdn: F-ADCLI-REALMD
* Calculated domain realm from name: INTERNAL.
* Discovering domain controllers: _ldap._
* Sending NetLogon ping to domain controller: win-kriet1e5elo
* Received NetLogon info from: WIN-KRIET1E5ELO
* Using LDAPS to connect to win-kriet1e5elo
* Wrote out krb5.conf snippet to /tmp/adcli-
! Couldn't authenticate as machine account: F-ADCLI-REALMD: Client 'F-ADCLI-
Password for <email address hidden>:
root@f- adcli-realmd: ~# tcpdump -i any -n -p port 389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
20:22:52.902443 IP 10.0.16.12.56068 > 10.0.16.5.389: UDP, length 89
20:22:52.902920 IP 10.0.16.5.389 > 10.0.16.12.56068: UDP, length 205
I will file an issue with adcli upstream, because it will fallback[1] to "ldap" (instead of "ldaps" if --use-ldaps was given) if CLDAP is not supported.
For what is worth, the NetLogon ping/discovery is this type of query, and it seems to work fine via ldaps:
root@j- adcli-realmd: ~# ldapsearch -o ldif_wrap=no -x -LLL -s base -b "" -H ldaps:/ /WIN-KRIET1E5EL O.internal. example. fake '(&(DnsDomain= INTERNAL. EXAMPLE. FAKE)(NtVer= \06\00\ 00\02)) ' NetLogon 9Hl8GSramUWvHAA /iCGludGVybmFsB 2V4YW1wbGUEZmFr ZQDAGA9XSU4tS1J JRVQxRTVFTE/ AGApJTlRFWEFNUE xFAA9XSU4tS1JJR VQxRTVFTE8AABdE ZWZhdWx0LUZpcnN 0LVNpdGUtTmFtZQ DAYQUAAAD/ ////
dn:
netlogon:: FwAAAP3zAwBx2l+
1. https:/ /gitlab. freedesktop. org/realmd/ adcli/- /blob/master/ library/ addisco. c#L543 /gitlab. freedesktop. org/realmd/ adcli/- /blob/master/ library/ addisco. c#L563
2. https:/