Bug 1024788
Summary: | samba has troubles join to active directory via IPv6 | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> | ||||
Component: | samba | Assignee: | Guenther Deschner <gdeschner> | ||||
Status: | CLOSED ERRATA | QA Contact: | Robin Hack <rhack> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 7.0 | CC: | asn, ccb, dpal, gdeschner, jherrman, jscotka, ksrot, pkis, rmainz, sbose, sowmya.manjanatha, vasimkachhi | ||||
Target Milestone: | rc | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | samba-4.1.1-32.el7 | Doc Type: | Bug Fix | ||||
Doc Text: |
Prior to his update, a bug prevented the Samba utility from connecting to a Windows active directory (AD) when the server operated on both the IPv4 and IPv6 protocols and the client operated only on IPv6. As a consequence, Samba sometimes failed to join a Windows domain network. With this update, the described bug has been fixed and Samba can now join Windows domain networks as intended.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-03-05 09:21:48 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1086308, 1094292 | ||||||
Attachments: |
|
We are still working on the patchset. It isn't finished yet. The issue is more complex :) We are seeing the same issue as in this description. Is there a date when the patchset may be available? Is there a work around in the interim? Andreas - Sowmya is a talented networking developer and she can can help get this sorted out. We have a full IPv6 and AD infrastructure in place. We'd like to not duplicate effort, so if you can provide diffs for work in progress we can help you get this wrapped up. Thanks. I was able to join the domain finally with changes in a couple of places: 1) In source3/libsmb/namequery.c : resolve_name (...., prefer_ipv4). I think from at least 3 places, prefer_ipv4 was set to true, which was causing resolve_name to never return IPv6 DC addresses. For now, I have hardcoded prefer_ipv4 to false inside resolve_name function. Setting this to false doesn't seem to affect IPv4 connectivity as setting it to false will force this function to return all addresses. This got me past the "No logon servers" issue. 2) The other place was in source3/libads/kerberos.c : In print_kdc_line, first it was failing before my previous change above with "Cannot resolve...." error. Once I did the resolve_name change, then I kept getting "Cannot contact any KDC in requested realm" error. After many wireshark traces, I found that "net ads join" command was sending kerberos authentication to port 445. 445 is a "SMB over TCP" port and kerberos usually runs on port 88. I had checked many times that dig srv _kerberos._tcp.<domainname> was returning the port correctly but in /var/cache/samba/smb_krb5/krb5.conf.<DOMAIN> file, it was set to port 445. I basically did the same logic as was done for AF_INET case in this function i.e. return a kdc string with no port but just the kdc_name. That helped me join the domain. The main problem with item 2 is that we are trying to derive kerberos port from get_sockaddr_port function is picking up the sockaddr for whatever is the current or the previous connection. In this case, I believe the last connection state had "SMB over TCP" port. I think the correct fix would be to do a dns resolution for the service record may be using "resolve_ads" with KDC_NAME_TYPE or may be some other light weight dns resolver function, or derive from the smb.conf file if "krb5 port" is set. Currently, it also seems like setting "krb5 port" is useless. Samba does not honor this setting at least not for ipv6. I haven't tested ipv4 with this setting. Thank you for the very good analysis. A patch adressing the issue has been pushed to the Samba upstream repository (https://git.samba.org/?p=samba.git;a=commitdiff;h=168627e1877317db86471a4b0360dccd9f469aaa) and will be part of the next Samba RHEL7 build. It looks much better. I covered this in manual tests. This fix is broken by by fix from bug 1082653. # rpm -q samba-common samba-common-4.1.1-31.el7.x86_64 # cat /etc/resolv.conf nameserver 2620:52:0:2223::1:1 # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:16:3e:00:01:b5 brd ff:ff:ff:ff:ff:ff inet 10.34.74.48/23 brd 10.34.75.255 scope global dynamic eth0 valid_lft 43116sec preferred_lft 43116sec inet6 2620:52:0:2223:216:3eff:fe00:1b5/64 scope global dynamic valid_lft 2591918sec preferred_lft 2591918sec inet6 fe80::216:3eff:fe00:1b5/64 scope link valid_lft forever preferred_lft forever # cat realmd.samba.cfg [global] workgroup = AD realm = AD.BASEOS.QE kerberos method = system keytab security = ads # ip a del 10.34.74.48/23 dev eth0 # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:16:3e:00:01:b5 brd ff:ff:ff:ff:ff:ff inet6 2620:52:0:2223:216:3eff:fe00:1b5/64 scope global dynamic valid_lft 2591907sec preferred_lft 2591907sec inet6 fe80::216:3eff:fe00:1b5/64 scope link valid_lft forever preferred_lft forever ping6 2620:52:0:2223::1:1 PING 2620:52:0:2223::1:1(2620:52:0:2223::1:1) 56 data bytes 64 bytes from 2620:52:0:2223::1:1: icmp_seq=1 ttl=63 time=0.555 ms 64 bytes from 2620:52:0:2223::1:1: icmp_seq=2 ttl=63 time=0.531 ms # net -d3 -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe lp_load_ex: refreshing parameters -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe Initialising global parametersd3 -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) ad.baseos.qe params.c:pm_process() - Processing configuration file "realmd.samba.cfg" ad.baseo Processing section "[global]" added interface eth0 ip=2620:52:0:2223:216:3eff:fe00:1b5 bcast= netmask=ffff:ffff:ffff:ffff:: Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Enter Amy-admin's password: libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'SEC-V06' domain_name : * domain_name : 'ad.baseos.qe' account_ou : NULL admin_account : 'Amy-admin' machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE Connecting to 2620:52:0:2223::1:1 at port 445 Doing spnego session setup (blob length=120) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *" ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE ads_try_connect: CLDAP request 10.34.37.22 failed. get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *" ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE ads_try_connect: CLDAP request 10.34.37.22 failed. Successfully contacted LDAP server 2620:52:0:2223::1:1 get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *" get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *" ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE ads_try_connect: CLDAP request 10.34.37.22 failed. libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'AD' dns_domain_name : 'ad.baseos.qe' forest_name : 'ad.baseos.qe' dn : NULL domain_sid : * domain_sid : S-1-5-21-2790367618-2869338822-3635713911 modified_config : 0x00 (0) error_string : 'failed to connect to AD: No logon servers' domain_is_ad : 0x01 (1) result : WERR_GENERAL_FAILURE Failed to join domain: failed to connect to AD: No logon servers return code = -1 # Hi I: 0) Configure samba (check additional info) 1) reserved machine in Boston (slower connection to Brno lab where AD is located) 2) umounted all nfs shares (some of them are ip4 only!) 3) totally disabled ipv4 by: # ip addr del <ipv4 address>/CIDR dev ethN (operational example: "ip addr del 192.168.0.1/24 dev eth0") # ip link set dev eth0 arp off 4) set /etc/resolv.conf to: domain ad.baseos.qe nameserver 2620:52:0:2259::5e and protect them by evil NetworkManager: # chattr +i /etc/resolv.conf 5) ran this some time (hour our two): while net -d10 ads join -Uadministrator%heslo; do net ads testjoin; net ads leave -Uadministrator%heslo; done RESULT: Success. I didn't found any failure. If you found something, speak now or forever hold your peace. Additional info: smb.conf: [global] #--authconfig--start-line-- # Generated by authconfig on 2015/01/20 09:47:48 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = ad password server = * realm = ad.baseos.qe security = ADS idmap config * : range = 10000-20000 winbind separator = + template shell = /bin/bash kerberos method = secrets only winbind use default domain = false winbind offline logon = true #--authconfig--end-line-- ;kerberos method = secrets and keytab winbind cache time = 10 ;winbind separator = + log level = 10 idmap config * : range = 10000-20000 ;realm = baseos.qe netbios name = ibm-x3250m4-11 ;workgroup = baseos ;security = ADS ;password server = * wins server = 2620:52:0:2259::5e, encrypt passwords = yes Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0409.html my setup is pure ipv6 and windows AD is dual mode means ipv4 and ipv6 when i connect net ads join -S ******* -U sandeep i get Failed to join domain: failed to connect to AD: No logon servers in debug logs i found it tries to connect to ipv4 instead to ipv6 ads_try_connect: <ipv4 address> failed can you help ? smbd -V Version 4.6.6 i have set proper values in /etc/resolv.conf There is no Samba 4.6.6 in RHEL7 available. Yes but can you guide me with changes needed if any to set AD in ipv6 setup where ad server is dual stack means ipv4 and ipv6 |
Created attachment 817454 [details] Samba log with -d10 Description of problem: Joining to windows active directory fails when the server operates on booth IPv4 and IPv6 but the client only IPv6. When the client has only IPv4 or booth addresses the join works. Version-Release number of selected component (if applicable): samba-4.1.0-0.5.rc2el7 How reproducible: 100% Steps to Reproduce: # cat realmd.samba.cfg [global] workgroup = AD realm = AD.BASEOS.QE kerberos method = system keytab security = ads # # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000 link/ether 5c:f3:fc:85:41:23 brd ff:ff:ff:ff:ff:ff inet 10.16.67.124/21 scope global dynamic eth0 valid_lft 85110sec preferred_lft 85110sec inet6 2620:52:0:1040:5ef3:fcff:fe85:4123/64 scope global dynamic valid_lft 2591994sec preferred_lft 604794sec inet6 fec0:0:a10:4000:5ef3:fcff:fe85:4123/64 scope site dynamic valid_lft 2591994sec preferred_lft 604794sec inet6 fe80::5ef3:fcff:fe85:4123/64 scope link valid_lft forever preferred_lft forever # # net -v -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe Enter Amy-admin's password: print_kdc_line: can't resolve name for kdc with non-default port [2620:52:0:2223:1dfe:a8ea:f0d8:380c]. Error Name or service not known Using short domain name -- AD Joined 'IBM-P730-05-LP3' to dns domain 'ad.baseos.qe' # # ip a del 10.16.67.124/21 dev eth0 # net -d3 -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file "realmd.samba.cfg" Processing section "[global]" added interface eth0 ip=2620:52:0:1040:5ef3:fcff:fe85:4123 bcast= netmask=ffff:ffff:ffff:ffff:: added interface eth0 ip=fec0:0:a10:4000:5ef3:fcff:fe85:4123 bcast= netmask=ffff:ffff:ffff:ffff:: Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Enter Amy-admin's password: libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'IBM-P730-05-LP3' domain_name : * domain_name : 'ad.baseos.qe' account_ou : NULL admin_account : 'Amy-admin' machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) use_kerberos : 0x00 (0) secure_channel_type : SEC_CHAN_WKSTA (2) ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE ads_cldap_netlogon: did not get a reply Connecting to 2620:52:0:2223:1dfe:a8ea:f0d8:380c at port 445 E2BIG: convert_string(UTF-8,CP850): srclen=21 destlen=16 - 'SEC-AD1.AD.BASEOS.QE' Connecting to 2620:52:0:2223:1dfe:a8ea:f0d8:380c at port 139 Connecting to 2620:52:0:2223::1:1 at port 445 Connecting to 10.34.37.22 at port 445 E2BIG: convert_string(UTF-8,CP850): srclen=21 destlen=16 - 'SEC-AD1.AD.BASEOS.QE' Connecting to 2620:52:0:2223::1:1 at port 139 E2BIG: convert_string(UTF-8,CP850): srclen=21 destlen=16 - 'SEC-AD1.AD.BASEOS.QE' Connecting to 10.34.37.22 at port 139 samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x100214fc540] mpx_fde[(nil)] fd[13] - disabling samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x100214ff990] mpx_fde[(nil)] fd[15] - disabling samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x100214fe550] mpx_fde[(nil)] fd[14] - disabling Doing spnego session setup (blob length=120) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 print_kdc_line: can't resolve name for kdc with non-default port [2620:52:0:2223:1dfe:a8ea:f0d8:380c]. Error Name or service not known .ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE ads_try_connect: CLDAP request 10.34.37.22 failed. get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *" ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE ads_try_connect: CLDAP request 10.34.37.22 failed. ads_cldap_netlogon: did not get a reply ads_try_connect: CLDAP request 2620:52:0:2223:1dfe:a8ea:f0d8:380c failed. Successfully contacted LDAP server 2620:52:0:2223::1:1 get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *" get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *" ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE ads_try_connect: CLDAP request 10.34.37.22 failed. libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'AD' dns_domain_name : 'ad.baseos.qe' forest_name : 'ad.baseos.qe' dn : NULL domain_sid : * domain_sid : S-1-5-21-2790367618-2869338822-3635713911 modified_config : 0x00 (0) error_string : 'failed to connect to AD: No logon servers' domain_is_ad : 0x01 (1) result : WERR_GENERAL_FAILURE Failed to join domain: failed to connect to AD: No logon servers return code = -1 Additional info: More detailed debug logs are attached.