dsdb subnets: warn when an IPv6 address is in IPv4 embedding range

We fail on these ones, and it isn't immediately obvious why. Windows
also fails on *most* of them, but succeeds on "::ffff:0:0" which is a
bit strange but there you go.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 24 07:16:25 CET 2015 on sn-devel-144

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 91e9625bf40231de72615f52ee4116763992ad59..b9b57db88826da9bc733794f8cfe988757ed210d 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -2753,6 +2753,17 @@ static int check_address_roundtrip(const char *address, int family,
        if (strcasecmp(address, address_redux) != 0){
                DBG_INFO("Address %s round trips to %s; fail!\n",
                         address, address_redux);
+               /* If the address family is IPv6, and the address is in a
+                  certain range
+
+                */
+               if (strchr(address_redux, '.') != NULL){
+                       DEBUG(0, ("The IPv6 address '%s' has the misfortune of "
+                                 "lying in a range that was once used for "
+                                 "IPv4 embedding (that is, it might also be "
+                                 "represented as '%s').\n", address,
+                                 address_redux));
+               }
                return -1;
        }
        return 0;

diff --git a/source4/dsdb/tests/python/sites.py b/source4/dsdb/tests/python/sites.py
index 1714ff814c7deaad33681579bc1b58dde2f8b551..acbf1c126f8cf0c8fca0041d3a8eb5abf37ed324 100755 (executable)
--- a/source4/dsdb/tests/python/sites.py
+++ b/source4/dsdb/tests/python/sites.py
@@ -301,7 +301,33 @@ class SimpleSubnetTests(SitesBaseTests):
             # IP4 embedded - rejected
             "a::10.0.0.0/120",
             "a::10.9.8.7/128",
+
+            # The next ones tinker indirectly with IPv4 embedding,
+            # where Windows has some odd behaviour.
+            #
+            # Samba's libreplace inet_ntop6 expects IPv4 embedding
+            # with addresses in these forms:
+            #
+            #     ::wx:yz
+            #     ::FFFF:wx:yz
+            #
+            # these will be stringified with trailing dottted decimal, thus:
+            #
+            #     ::w.x.y.z
+            #     ::ffff:w.x.y.z
+            #
+            # and this will cause the address to be rejected by Samba,
+            # because it uses a inet_pton / inet_ntop round trip to
+            # ascertain correctness.
+
             "::ffff:0:0/96", #this one fails on WIN2012r2
+            "::ffff:aaaa:a000/120",
+            "::ffff:10:0/120",
+            "::ffff:2:300/120",
+            "::3:0/120",
+            "::2:30/124",
+            "::ffff:2:30/124",
+
             # completely wrong
             None,
             "bob",
@@ -443,6 +469,12 @@ class SimpleSubnetTests(SitesBaseTests):
             "10:0:0:42::/64",
             "1::4:5:0:0:8/127",
             "2001:db8:0:1:1:1:1:1/128",
+
+            # The "well-known prefix" 64::ff9b is another IPv4
+            # embedding scheme. Let's try that.
+            "64:ff9b::aaaa:aaaa/127",
+            "64:ff9b::/120",
+            "64:ff9b::ffff:2:3/128",
         ]
         failures = []