Bug 1024788 - samba has troubles join to active directory via IPv6
samba has troubles join to active directory via IPv6
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba (Show other bugs)
7.0
Unspecified Unspecified
urgent Severity high
: rc
: ---
Assigned To: Guenther Deschner
Robin Hack
: ZStream
Depends On:
Blocks: 1086308 1094292
  Show dependency treegraph
 
Reported: 2013-10-30 08:42 EDT by Patrik Kis
Modified: 2015-03-05 04:21 EST (History)
11 users (show)

See Also:
Fixed In Version: samba-4.1.1-32.el7
Doc Type: Bug Fix
Doc Text:
Prior to his update, a bug prevented the Samba utility from connecting to a Windows active directory (AD) when the server operated on both the IPv4 and IPv6 protocols and the client operated only on IPv6. As a consequence, Samba sometimes failed to join a Windows domain network. With this update, the described bug has been fixed and Samba can now join Windows domain networks as intended.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 04:21:48 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Samba log with -d10 (103.12 KB, text/plain)
2013-10-30 08:42 EDT, Patrik Kis
no flags Details

  None (edit)
Description Patrik Kis 2013-10-30 08:42:36 EDT
Created attachment 817454 [details]
Samba log with -d10

Description of problem:
Joining to windows active directory fails when the server operates on booth IPv4 and IPv6 but the client only IPv6.
When the client has only IPv4 or booth addresses the join works.

Version-Release number of selected component (if applicable):
samba-4.1.0-0.5.rc2el7

How reproducible:
100%

Steps to Reproduce:
# cat realmd.samba.cfg
[global]
workgroup = AD
realm = AD.BASEOS.QE
kerberos method = system keytab
security = ads
#
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000
    link/ether 5c:f3:fc:85:41:23 brd ff:ff:ff:ff:ff:ff
    inet 10.16.67.124/21 scope global dynamic eth0
       valid_lft 85110sec preferred_lft 85110sec
    inet6 2620:52:0:1040:5ef3:fcff:fe85:4123/64 scope global dynamic 
       valid_lft 2591994sec preferred_lft 604794sec
    inet6 fec0:0:a10:4000:5ef3:fcff:fe85:4123/64 scope site dynamic 
       valid_lft 2591994sec preferred_lft 604794sec
    inet6 fe80::5ef3:fcff:fe85:4123/64 scope link 
       valid_lft forever preferred_lft forever
#
# net -v -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe
Enter Amy-admin's password:
print_kdc_line: can't resolve name for kdc with non-default port [2620:52:0:2223:1dfe:a8ea:f0d8:380c]. Error Name or service not known
Using short domain name -- AD
Joined 'IBM-P730-05-LP3' to dns domain 'ad.baseos.qe'
#
# ip a del 10.16.67.124/21 dev eth0
# net -d3 -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "realmd.samba.cfg"
Processing section "[global]"
added interface eth0 ip=2620:52:0:1040:5ef3:fcff:fe85:4123 bcast= netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=fec0:0:a10:4000:5ef3:fcff:fe85:4123 bcast= netmask=ffff:ffff:ffff:ffff::
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter Amy-admin's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'IBM-P730-05-LP3'
            domain_name              : *
                domain_name              : 'ad.baseos.qe'
            account_ou               : NULL
            admin_account            : 'Amy-admin'
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_cldap_netlogon: did not get a reply
Connecting to 2620:52:0:2223:1dfe:a8ea:f0d8:380c at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=21 destlen=16 - 'SEC-AD1.AD.BASEOS.QE'
Connecting to 2620:52:0:2223:1dfe:a8ea:f0d8:380c at port 139
Connecting to 2620:52:0:2223::1:1 at port 445
Connecting to 10.34.37.22 at port 445
E2BIG: convert_string(UTF-8,CP850): srclen=21 destlen=16 - 'SEC-AD1.AD.BASEOS.QE'
Connecting to 2620:52:0:2223::1:1 at port 139
E2BIG: convert_string(UTF-8,CP850): srclen=21 destlen=16 - 'SEC-AD1.AD.BASEOS.QE'
Connecting to 10.34.37.22 at port 139
samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x100214fc540] mpx_fde[(nil)] fd[13] - disabling
samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x100214ff990] mpx_fde[(nil)] fd[15] - disabling
samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x100214fe550] mpx_fde[(nil)] fd[14] - disabling
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
print_kdc_line: can't resolve name for kdc with non-default port [2620:52:0:2223:1dfe:a8ea:f0d8:380c]. Error Name or service not known
.ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_try_connect: CLDAP request 10.34.37.22 failed.
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_try_connect: CLDAP request 10.34.37.22 failed.
ads_cldap_netlogon: did not get a reply
ads_try_connect: CLDAP request 2620:52:0:2223:1dfe:a8ea:f0d8:380c failed.
Successfully contacted LDAP server 2620:52:0:2223::1:1
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_try_connect: CLDAP request 10.34.37.22 failed.
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'AD'
            dns_domain_name          : 'ad.baseos.qe'
            forest_name              : 'ad.baseos.qe'
            dn                       : NULL
            domain_sid               : *
                domain_sid               : S-1-5-21-2790367618-2869338822-3635713911
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: No logon servers'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: No logon servers
return code = -1

Additional info:
More detailed debug logs are attached.
Comment 3 Andreas Schneider 2014-02-07 09:15:33 EST
We are still working on the patchset. It isn't finished yet. The issue is more complex :)
Comment 4 sowmya.manjanatha 2014-02-23 11:37:31 EST
We are seeing the same issue as in this description.  Is there a date when the patchset may be available?  Is there a work around in the interim?
Comment 5 Charlie Bennett 2014-02-24 11:21:13 EST
Andreas - Sowmya is a talented networking developer and she can can help get this sorted out.  We have a full IPv6 and AD infrastructure in place.

We'd like to not duplicate effort, so if you can provide diffs for work in progress we can help you get this wrapped up.

Thanks.
Comment 6 sowmya.manjanatha 2014-03-04 16:00:33 EST
I was able to join the domain finally with changes in a couple of places:

1) In source3/libsmb/namequery.c : resolve_name (...., prefer_ipv4).   
I think from at least 3 places, prefer_ipv4 was set to true, which was causing resolve_name to never return IPv6 DC addresses.  For now, I have hardcoded prefer_ipv4 to false inside resolve_name function.  Setting this to false doesn't seem to affect IPv4 connectivity as setting it to false will force this function to return all addresses.  This got me past the "No logon servers" issue.

2) The other place was in source3/libads/kerberos.c : In print_kdc_line, first it was failing before my previous change above with "Cannot resolve...." error.  Once I did the resolve_name change, then I kept getting "Cannot contact any KDC in requested realm" error.  After many wireshark traces, I found that "net ads join" command was sending kerberos authentication to port 445.  445 is a "SMB over TCP" port and kerberos usually runs on port 88.  I had checked many times that dig srv _kerberos._tcp.<domainname> was returning the port correctly but in /var/cache/samba/smb_krb5/krb5.conf.<DOMAIN> file, it was set to port 445.  I basically did the same logic as was done for AF_INET case in this function i.e. return a kdc string with no port but just the kdc_name.  That helped me join the domain.  

The main problem with item 2 is that we are trying to derive kerberos port from get_sockaddr_port function is picking up the sockaddr for whatever is the current or the previous connection.  In this case, I believe the last connection state had "SMB over TCP" port.  

I think the correct fix would be to do a dns resolution for the service record may be using "resolve_ads" with KDC_NAME_TYPE or may be some other light weight dns resolver function, or derive from the smb.conf file if "krb5 port" is set.

Currently, it also seems like setting "krb5 port" is useless.  Samba does not honor this setting at least not for ipv6.  I haven't tested ipv4 with this setting.
Comment 7 Guenther Deschner 2014-03-10 06:13:16 EDT
Thank you for the very good analysis. 

A patch adressing the issue has been pushed to the Samba upstream repository (https://git.samba.org/?p=samba.git;a=commitdiff;h=168627e1877317db86471a4b0360dccd9f469aaa) and will be part of the next Samba RHEL7 build.
Comment 9 Robin Hack 2014-04-09 07:10:06 EDT
It looks much better. I covered this in manual tests.
Comment 10 Patrik Kis 2014-04-14 11:45:36 EDT
This fix is broken by by fix from bug 1082653.

# rpm -q samba-common
samba-common-4.1.1-31.el7.x86_64
# cat /etc/resolv.conf 
nameserver 2620:52:0:2223::1:1
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:16:3e:00:01:b5 brd ff:ff:ff:ff:ff:ff
    inet 10.34.74.48/23 brd 10.34.75.255 scope global dynamic eth0
       valid_lft 43116sec preferred_lft 43116sec
    inet6 2620:52:0:2223:216:3eff:fe00:1b5/64 scope global dynamic 
       valid_lft 2591918sec preferred_lft 2591918sec
    inet6 fe80::216:3eff:fe00:1b5/64 scope link 
       valid_lft forever preferred_lft forever
# cat realmd.samba.cfg 
[global]
workgroup = AD
realm = AD.BASEOS.QE
kerberos method = system keytab
security = ads
# ip a del 10.34.74.48/23 dev eth0
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:16:3e:00:01:b5 brd ff:ff:ff:ff:ff:ff
    inet6 2620:52:0:2223:216:3eff:fe00:1b5/64 scope global dynamic 
       valid_lft 2591907sec preferred_lft 2591907sec
    inet6 fe80::216:3eff:fe00:1b5/64 scope link 
       valid_lft forever preferred_lft forever
 ping6 2620:52:0:2223::1:1
PING 2620:52:0:2223::1:1(2620:52:0:2223::1:1) 56 data bytes
64 bytes from 2620:52:0:2223::1:1: icmp_seq=1 ttl=63 time=0.555 ms
64 bytes from 2620:52:0:2223::1:1: icmp_seq=2 ttl=63 time=0.531 ms
# net -d3 -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe
lp_load_ex: refreshing parameters -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe
Initialising global parametersd3 -s realmd.samba.cfg -U Amy-admin ads join ad.baseos.qe
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) ad.baseos.qe
params.c:pm_process() - Processing configuration file "realmd.samba.cfg" ad.baseo
Processing section "[global]"
added interface eth0 ip=2620:52:0:2223:216:3eff:fe00:1b5 bcast= netmask=ffff:ffff:ffff:ffff::
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Enter Amy-admin's password:
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        in: struct libnet_JoinCtx
            dc_name                  : NULL
            machine_name             : 'SEC-V06'
            domain_name              : *
                domain_name              : 'ad.baseos.qe'
            account_ou               : NULL
            admin_account            : 'Amy-admin'
            machine_password         : NULL
            join_flags               : 0x00000023 (35)
                   0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
                   0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
                   0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
                   0: WKSSVC_JOIN_FLAGS_DEFER_SPN
                   0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
                   0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
                   1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
                   0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
                   0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
                   1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
                   1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
            os_version               : NULL
            os_name                  : NULL
            create_upn               : 0x00 (0)
            upn                      : NULL
            modify_config            : 0x00 (0)
            ads                      : NULL
            debug                    : 0x01 (1)
            use_kerberos             : 0x00 (0)
            secure_channel_type      : SEC_CHAN_WKSTA (2)
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
Connecting to 2620:52:0:2223::1:1 at port 445
Doing spnego session setup (blob length=120)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_try_connect: CLDAP request 10.34.37.22 failed.
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_try_connect: CLDAP request 10.34.37.22 failed.
Successfully contacted LDAP server 2620:52:0:2223::1:1
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
get_dc_list: preferred server list: "sec-ad1.ad.baseos.qe, *"
ads_cldap_netlogon: cldap_multi_netlogon failed: NT_STATUS_NETWORK_UNREACHABLE
ads_try_connect: CLDAP request 10.34.37.22 failed.
libnet_Join:
    libnet_JoinCtx: struct libnet_JoinCtx
        out: struct libnet_JoinCtx
            account_name             : NULL
            netbios_domain_name      : 'AD'
            dns_domain_name          : 'ad.baseos.qe'
            forest_name              : 'ad.baseos.qe'
            dn                       : NULL
            domain_sid               : *
                domain_sid               : S-1-5-21-2790367618-2869338822-3635713911
            modified_config          : 0x00 (0)
            error_string             : 'failed to connect to AD: No logon servers'
            domain_is_ad             : 0x01 (1)
            result                   : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: No logon servers
return code = -1
#
Comment 23 Robin Hack 2015-01-21 04:18:03 EST
Hi

I:
0) Configure samba (check additional info)

1) reserved machine in Boston (slower connection to Brno lab where AD is located)

2) umounted all nfs shares (some of them are ip4 only!)

3) totally disabled ipv4 by:
	# ip addr del <ipv4 address>/CIDR dev ethN
	(operational example: "ip addr del 192.168.0.1/24 dev eth0")
	# ip link set dev eth0 arp off

4) set /etc/resolv.conf to:
domain ad.baseos.qe
nameserver 2620:52:0:2259::5e
and protect them by evil NetworkManager:
# chattr +i /etc/resolv.conf

5) ran this some time (hour our two):

while net -d10 ads join -Uadministrator%heslo; do
	net ads testjoin;
	net ads leave -Uadministrator%heslo;
done

RESULT:
Success. I didn't found any failure. If you found something, speak now or forever hold your peace.

Additional info:

smb.conf:
[global]
#--authconfig--start-line--

# Generated by authconfig on 2015/01/20 09:47:48
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = ad
   password server = *
   realm = ad.baseos.qe
   security = ADS
   idmap config * : range = 10000-20000
   winbind separator = +
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = false
   winbind offline logon = true

#--authconfig--end-line--
;kerberos method = secrets and keytab
winbind cache time = 10
;winbind separator = +
log level = 10
idmap config * : range = 10000-20000
;realm = baseos.qe
netbios name = ibm-x3250m4-11
;workgroup = baseos
;security = ADS
;password server = *
wins server = 2620:52:0:2259::5e, 
encrypt passwords = yes
Comment 25 errata-xmlrpc 2015-03-05 04:21:48 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0409.html

Note You need to log in before you can comment on or make changes to this bug.