The Samba-Bugzilla – Attachment 15289 Details for
Bug 14021
v4.8: 'samba-tool domain join dc' fails against Windows 2003 or 2008 (non-R2) DC
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Backport for v4.10 and v4.9
backport-patch.txt (text/plain), 2.43 KB, created by
Tim Beale
on 2019-07-05 01:27:32 UTC
(
hide
)
Description:
Backport for v4.10 and v4.9
Filename:
MIME Type:
Creator:
Tim Beale
Created:
2019-07-05 01:27:32 UTC
Size:
2.43 KB
patch
obsolete
>From 6100b2effa9b34ad8dfb0bf9e7508d0d66209ea3 Mon Sep 17 00:00:00 2001 >From: Tim Beale <timbeale@catalyst.net.nz> >Date: Mon, 1 Jul 2019 17:06:31 +1200 >Subject: [PATCH] s4/libnet: Fix joining a Windows pre-2008R2 DC > >From v4.8 onwards, Samba may not be able join a DC older than 2008R2 >because the Windows DC doesn't support GET_TGT. > >If the dsdb repl_md code can't resolve a link target it returns an >error, and the calling code (e.g. drs_util.py) should retry with >GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later, >so if you try to join an earlier Windows DC, the join will throw an >error that you can't work-around. > >We can avoid this problem by setting the same DSDB flag that GET_TGT >sets to indicate that the link targets are as up-to-date as possible, >and so there's no point retrying. Missing targets are still logged, so >this at least allows the admin to fix up any problems after the join >completed. > >I've only done this for the join case (problems during periodic >replication are probably still worth escalating to an error). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021 >RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD >DC may not have worked. When this problem occurred, the following >message would be displayed: > 'Failed to commit objects: DOS code 0x000021bf' >This particular issue has now been resolved. Note that there may still >be other potential problems that occur when joining an older Windows DC. > >Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit b3a2508f2ad79e2f1007464da7dbe918933038a0) >--- > source4/libnet/libnet_vampire.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/source4/libnet/libnet_vampire.c b/source4/libnet/libnet_vampire.c >index 6167493..128d237 100644 >--- a/source4/libnet/libnet_vampire.c >+++ b/source4/libnet/libnet_vampire.c >@@ -660,6 +660,15 @@ WERROR libnet_vampire_cb_store_chunk(void *private_data, > return WERR_INVALID_PARAMETER; > } > >+ /* >+ * If the peer DC doesn't support GET_TGT (req v10), then the link >+ * targets are as up-to-date as they're ever gonna be. (Without this, >+ * cases where we'd normally retry with GET_TGT cause the join to fail) >+ */ >+ if (c->req_level < 10) { >+ dsdb_repl_flags |= DSDB_REPL_FLAG_TARGETS_UPTODATE; >+ } >+ > if (req_replica_flags & DRSUAPI_DRS_CRITICAL_ONLY || is_exop) { > /* > * If we only replicate the critical objects, or this >-- >2.7.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15289">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 14021
: 15289