Bug 1024788

Summary: samba has troubles join to active directory via IPv6
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: sambaAssignee: Guenther Deschner <gdeschner>
Status: CLOSED ERRATA QA Contact: Robin Hack <rhack>
Severity: high Docs Contact:
Priority: urgent    
Version: 7.0CC: asn, ccb, dpal, gdeschner, jherrman, jscotka, ksrot, pkis, rmainz, sbose, sowmya.manjanatha, vasimkachhi
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: samba-4.1.1-32.el7 Doc Type: Bug Fix
Doc Text:
Prior to his update, a bug prevented the Samba utility from connecting to a Windows active directory (AD) when the server operated on both the IPv4 and IPv6 protocols and the client operated only on IPv6. As a consequence, Samba sometimes failed to join a Windows domain network. With this update, the described bug has been fixed and Samba can now join Windows domain networks as intended.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 09:21:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1086308, 1094292    
Attachments:
Description Flags
Samba log with -d10 none

Description Patrik Kis 2013-10-30 12:42:36 UTC
Created attachment 817454 [details]
Samba log with -d10

Description of problem:
Joining to windows active directory fails when the server operates on booth IPv4 and IPv6 but the client only IPv6.
When the client has only IPv4 or booth addresses the join works.

Version-Release number of selected component (if applicable):
samba-4.1.0-0.5.rc2el7

How reproducible:
100%

Steps to Reproduce:
# cat realmd.samba.cfg
[global]
workgroup = AD
realm = AD.BASEOS.QE
kerberos method = system keytab
security = ads
#
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000
    link/ether 5c:f3:fc:85:41:23 brd ff:ff:ff:ff:ff:ff
    inet 10.16.67.124/21 scope global dynamic eth0
       valid_lft 85110sec preferred_lft 85110sec
    inet6 2620:52:0:1040:5ef3:fcff:fe85:4123/64 scope global dynamic 
       valid_lft 2591994sec preferred_lft 604794sec
    inet6 fec0:0:a10:4000:5ef3:fcff:fe85:4123/64 scope site dynamic 
       valid_lft 2591994sec preferred_lft 604794sec
    inet6 fe80::5ef3:fcff:fe85:4123/64 scope link 
       valid_lft forever preferred_lft forever
#
# net -v -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe
Enter Amy-admin's password:
print_kdc_line: can't resolve name for kdc with non-default port [2620:52:0:2223:1dfe:a8ea:f0d8:380c]. Error Name or service not known
Using short domain name -- AD
Joined 'IBM-P730-05-LP3' to dns domain 'ad.baseos.qe'
#
# ip a del 10.16.67.124/21 dev eth0
# net -d3 -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "realmd.samba.cfg"
Processing section "[global]"
added interface eth0 ip=2620:52:0:1040:5ef3:fcff:fe85:4123 bcast= netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=fec0:0:a10:4000:5ef3:fcff:fe85:4123 bcast= netmask=ffff:ffff:ffff:ffff::
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter Amy-admin's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'IBM-P730-05-LP3'
            domain_name              : *
                domain_name              : 'ad.baseos.qe'
            account_ou               : NULL
            admin_account            : 'Amy-admin'
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_cldap_netlogon: did not get a reply
Connecting to 2620:52:0:2223:1dfe:a8ea:f0d8:380c at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=21 destlen=16 - 'SEC-AD1.AD.BASEOS.QE'
Connecting to 2620:52:0:2223:1dfe:a8ea:f0d8:380c at port 139
Connecting to 2620:52:0:2223::1:1 at port 445
Connecting to 10.34.37.22 at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=21 destlen=16 - 'SEC-AD1.AD.BASEOS.QE'
Connecting to 2620:52:0:2223::1:1 at port 139
E2BIG: convert_string(UTF-8,CP850): srclen=21 destlen=16 - 'SEC-AD1.AD.BASEOS.QE'
Connecting to 10.34.37.22 at port 139
samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x100214fc540] mpx_fde[(nil)] fd[13] - disabling
samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x100214ff990] mpx_fde[(nil)] fd[15] - disabling
samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x100214fe550] mpx_fde[(nil)] fd[14] - disabling
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
print_kdc_line: can't resolve name for kdc with non-default port [2620:52:0:2223:1dfe:a8ea:f0d8:380c]. Error Name or service not known
.ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_try_connect: CLDAP request 10.34.37.22 failed.
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_try_connect: CLDAP request 10.34.37.22 failed.
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 2620:52:0:2223:1dfe:a8ea:f0d8:380c failed.
Successfully contacted LDAP server 2620:52:0:2223::1:1
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_try_connect: CLDAP request 10.34.37.22 failed.
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'AD'
            dns_domain_name          : 'ad.baseos.qe'
            forest_name              : 'ad.baseos.qe'
            dn                       : NULL
            domain_sid               : *
                domain_sid               : S-1-5-21-2790367618-2869338822-3635713911
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: No logon servers'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: No logon servers
return code = -1

Additional info:
More detailed debug logs are attached.

Comment 3 Andreas Schneider 2014-02-07 14:15:33 UTC
We are still working on the patchset. It isn't finished yet. The issue is more complex :)

Comment 4 sowmya.manjanatha 2014-02-23 16:37:31 UTC
We are seeing the same issue as in this description.  Is there a date when the patchset may be available?  Is there a work around in the interim?

Comment 5 Charlie Bennett 2014-02-24 16:21:13 UTC
Andreas - Sowmya is a talented networking developer and she can can help get this sorted out.  We have a full IPv6 and AD infrastructure in place.

We'd like to not duplicate effort, so if you can provide diffs for work in progress we can help you get this wrapped up.

Thanks.

Comment 6 sowmya.manjanatha 2014-03-04 21:00:33 UTC
I was able to join the domain finally with changes in a couple of places:

1) In source3/libsmb/namequery.c : resolve_name (...., prefer_ipv4).   
I think from at least 3 places, prefer_ipv4 was set to true, which was causing resolve_name to never return IPv6 DC addresses.  For now, I have hardcoded prefer_ipv4 to false inside resolve_name function.  Setting this to false doesn't seem to affect IPv4 connectivity as setting it to false will force this function to return all addresses.  This got me past the "No logon servers" issue.

2) The other place was in source3/libads/kerberos.c : In print_kdc_line, first it was failing before my previous change above with "Cannot resolve...." error.  Once I did the resolve_name change, then I kept getting "Cannot contact any KDC in requested realm" error.  After many wireshark traces, I found that "net ads join" command was sending kerberos authentication to port 445.  445 is a "SMB over TCP" port and kerberos usually runs on port 88.  I had checked many times that dig srv _kerberos._tcp.<domainname> was returning the port correctly but in /var/cache/samba/smb_krb5/krb5.conf.<DOMAIN> file, it was set to port 445.  I basically did the same logic as was done for AF_INET case in this function i.e. return a kdc string with no port but just the kdc_name.  That helped me join the domain.  

The main problem with item 2 is that we are trying to derive kerberos port from get_sockaddr_port function is picking up the sockaddr for whatever is the current or the previous connection.  In this case, I believe the last connection state had "SMB over TCP" port.  

I think the correct fix would be to do a dns resolution for the service record may be using "resolve_ads" with KDC_NAME_TYPE or may be some other light weight dns resolver function, or derive from the smb.conf file if "krb5 port" is set.

Currently, it also seems like setting "krb5 port" is useless.  Samba does not honor this setting at least not for ipv6.  I haven't tested ipv4 with this setting.

Comment 7 Guenther Deschner 2014-03-10 10:13:16 UTC
Thank you for the very good analysis. 

A patch adressing the issue has been pushed to the Samba upstream repository (https://git.samba.org/?p=samba.git;a=commitdiff;h=168627e1877317db86471a4b0360dccd9f469aaa) and will be part of the next Samba RHEL7 build.

Comment 9 Robin Hack 2014-04-09 11:10:06 UTC
It looks much better. I covered this in manual tests.

Comment 10 Patrik Kis 2014-04-14 15:45:36 UTC
This fix is broken by by fix from bug 1082653.

# rpm -q samba-common
samba-common-4.1.1-31.el7.x86_64
# cat /etc/resolv.conf 
nameserver 2620:52:0:2223::1:1
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:16:3e:00:01:b5 brd ff:ff:ff:ff:ff:ff
    inet 10.34.74.48/23 brd 10.34.75.255 scope global dynamic eth0
       valid_lft 43116sec preferred_lft 43116sec
    inet6 2620:52:0:2223:216:3eff:fe00:1b5/64 scope global dynamic 
       valid_lft 2591918sec preferred_lft 2591918sec
    inet6 fe80::216:3eff:fe00:1b5/64 scope link 
       valid_lft forever preferred_lft forever
# cat realmd.samba.cfg 
[global]
workgroup = AD
realm = AD.BASEOS.QE
kerberos method = system keytab
security = ads
# ip a del 10.34.74.48/23 dev eth0
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:16:3e:00:01:b5 brd ff:ff:ff:ff:ff:ff
    inet6 2620:52:0:2223:216:3eff:fe00:1b5/64 scope global dynamic 
       valid_lft 2591907sec preferred_lft 2591907sec
    inet6 fe80::216:3eff:fe00:1b5/64 scope link 
       valid_lft forever preferred_lft forever
 ping6 2620:52:0:2223::1:1
PING 2620:52:0:2223::1:1(2620:52:0:2223::1:1) 56 data bytes
64 bytes from 2620:52:0:2223::1:1: icmp_seq=1 ttl=63 time=0.555 ms
64 bytes from 2620:52:0:2223::1:1: icmp_seq=2 ttl=63 time=0.531 ms
# net -d3 -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe
lp_load_ex: refreshing parameters -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe
Initialising global parametersd3 -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) ad.baseos.qe
params.c:pm_process() - Processing configuration file "realmd.samba.cfg" ad.baseo
Processing section "[global]"
added interface eth0 ip=2620:52:0:2223:216:3eff:fe00:1b5 bcast= netmask=ffff:ffff:ffff:ffff::
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter Amy-admin's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'SEC-V06'
            domain_name              : *
                domain_name              : 'ad.baseos.qe'
            account_ou               : NULL
            admin_account            : 'Amy-admin'
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
Connecting to 2620:52:0:2223::1:1 at port 445
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_try_connect: CLDAP request 10.34.37.22 failed.
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_try_connect: CLDAP request 10.34.37.22 failed.
Successfully contacted LDAP server 2620:52:0:2223::1:1
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_try_connect: CLDAP request 10.34.37.22 failed.
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'AD'
            dns_domain_name          : 'ad.baseos.qe'
            forest_name              : 'ad.baseos.qe'
            dn                       : NULL
            domain_sid               : *
                domain_sid               : S-1-5-21-2790367618-2869338822-3635713911
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: No logon servers'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: No logon servers
return code = -1
#

Comment 23 Robin Hack 2015-01-21 09:18:03 UTC
Hi

I:
0) Configure samba (check additional info)

1) reserved machine in Boston (slower connection to Brno lab where AD is located)

2) umounted all nfs shares (some of them are ip4 only!)

3) totally disabled ipv4 by:
	# ip addr del <ipv4 address>/CIDR dev ethN
	(operational example: "ip addr del 192.168.0.1/24 dev eth0")
	# ip link set dev eth0 arp off

4) set /etc/resolv.conf to:
domain ad.baseos.qe
nameserver 2620:52:0:2259::5e
and protect them by evil NetworkManager:
# chattr +i /etc/resolv.conf

5) ran this some time (hour our two):

while net -d10 ads join -Uadministrator%heslo; do
	net ads testjoin;
	net ads leave -Uadministrator%heslo;
done

RESULT:
Success. I didn't found any failure. If you found something, speak now or forever hold your peace.

Additional info:

smb.conf:
[global]
#--authconfig--start-line--

# Generated by authconfig on 2015/01/20 09:47:48
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = ad
   password server = *
   realm = ad.baseos.qe
   security = ADS
   idmap config * : range = 10000-20000
   winbind separator = +
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = false
   winbind offline logon = true

#--authconfig--end-line--
;kerberos method = secrets and keytab
winbind cache time = 10
;winbind separator = +
log level = 10
idmap config * : range = 10000-20000
;realm = baseos.qe
netbios name = ibm-x3250m4-11
;workgroup = baseos
;security = ADS
;password server = *
wins server = 2620:52:0:2259::5e, 
encrypt passwords = yes

Comment 25 errata-xmlrpc 2015-03-05 09:21:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0409.html

Comment 26 vasim kachhi 2018-04-02 08:47:42 UTC
my setup is pure ipv6 and windows AD is dual mode means ipv4 and ipv6 
when i connect  net ads join -S ******* -U sandeep 
i get Failed to join domain: failed to connect to AD: No logon servers

in debug logs i found it tries to connect to ipv4 instead to ipv6 
ads_try_connect: <ipv4 address> failed

can you help ?

smbd -V
Version 4.6.6

i have set proper values in /etc/resolv.conf

Comment 27 Andreas Schneider 2018-04-03 07:47:10 UTC
There is no Samba 4.6.6 in RHEL7 available.

Comment 28 vasim kachhi 2018-04-03 11:42:43 UTC
Yes but can you guide me with changes needed if any to set AD in ipv6 setup 
where ad server is dual stack means ipv4 and ipv6