From 24dc8ef1749b77c21031465c1c77dd7ec2508163 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Thu, 24 Oct 2024 16:52:46 +0200
Subject: [PATCH] param: Add "client netlogon ping protocol"

Allow "net ads join" in environments where UDP/389 is blocked. Code
will follow.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 .../security/clientnetlogonpingprotocol.xml   | 30 +++++++++++++++++++
 lib/param/loadparm.h                          |  8 +++++
 lib/param/param_table.c                       |  8 +++++
 3 files changed, 46 insertions(+)
 create mode 100644 docs-xml/smbdotconf/security/clientnetlogonpingprotocol.xml

diff --git a/docs-xml/smbdotconf/security/clientnetlogonpingprotocol.xml b/docs-xml/smbdotconf/security/clientnetlogonpingprotocol.xml
new file mode 100644
index 00000000000..a616c7b0113
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientnetlogonpingprotocol.xml
@@ -0,0 +1,30 @@
+<samba:parameter name="client netlogon ping protocol"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_client_netlogon_ping_protocol"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+        <para>This option controls the protocol Samba uses to issue netlogon
+        ping requests. This is normally done via connectionless ldap, but
+        some installations require LDAPS over TCP port 636 for this.
+	</para>
+
+	<para>Possible values are :</para>
+	<itemizedlist>
+	  <listitem>
+	    <para><constant>CLDAP</constant></para>
+	  </listitem>
+	  <listitem>
+	    <para><constant>LDAP</constant></para>
+	  </listitem>
+	  <listitem>
+	    <para><constant>LDAPS</constant></para>
+	  </listitem>
+	  <listitem>
+	    <para><constant>STARTTLS</constant></para>
+	  </listitem>
+	</itemizedlist>
+</description>
+
+<value type="default">CLDAP</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index 7e9e5d2da3f..32788e37391 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -265,6 +265,14 @@ enum acl_claims_evaluation {
 	ACL_CLAIMS_EVALUATION_NEVER
 };
 
+/* Controlling the protocol for netlogon ping */
+enum client_netlogon_ping_protocol {
+	CLIENT_NETLOGON_PING_CLDAP,
+	CLIENT_NETLOGON_PING_LDAP,
+	CLIENT_NETLOGON_PING_LDAPS,
+	CLIENT_NETLOGON_PING_STARTTLS
+};
+
 /*
  * Default passwd chat script.
  */
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 229585b2807..f2a5a7ec40d 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -449,6 +449,14 @@ static const struct enum_list enum_acl_claims_evaluation[] = {
 	{-1, NULL}
 };
 
+static const struct enum_list enum_client_netlogon_ping_protocol[] = {
+	{CLIENT_NETLOGON_PING_CLDAP, "cldap"},
+	{CLIENT_NETLOGON_PING_LDAP, "ldap"},
+	{CLIENT_NETLOGON_PING_LDAPS, "ldaps"},
+	{CLIENT_NETLOGON_PING_STARTTLS, "starttls"},
+	{-1, NULL}
+};
+
 /* Note: We do not initialise the defaults union - it is not allowed in ANSI C
  *
  * NOTE: Handling of duplicated (synonym) parameters: