Bug 10710 - Samba cannot connect to Windows AD DC over IPv6
Samba cannot connect to Windows AD DC over IPv6
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.1.8
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-11 18:24 UTC by Alex K
Modified: 2015-07-31 08:31 UTC (History)
2 users (show)

See Also:


Attachments
starttls-error.log.smbd (419.49 KB, text/plain)
2014-07-11 18:24 UTC, Alex K
no flags Details
starttls-error.tcp.dump (4.83 KB, application/octet-stream)
2014-07-11 18:24 UTC, Alex K
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alex K 2014-07-11 18:24:06 UTC
Created attachment 10100 [details]
starttls-error.log.smbd

Samba server is a member of Windows domain, and has both IPv4 and IPv6 addresses. 
AD DC also has IPv4 and IPv6 enabled. 

When Samba server tries to talk to DC over IPv6, it yields cryptic error 
"Failed to issue the StartTLS instruction: Connect error"

Interestingly, Samba logs indicate that Samba tries to communicate over IPv4, but tcpdump shows pure IPv6 connection being established. 

Excerpt from the log (some lines removed):
  Successfully contacted LDAP server 172.25.152.139
  Opening connection to LDAP server 'EEM-DC-2.ad.corp.acme.com:389', timeout 15 seconds
  Connected to LDAP server 'EEM-DC-2.ad.corp.acme.com:389'
  Connected to LDAP server EEM-DC-2.ad.corp.acme.com
  saf_store: domain = [AD.CORP.ACME.COM], server = [EEM-DC-2.ad.corp.acme.com], expire = [1405098981]
  Failed to issue the StartTLS instruction: Connect error
  ads_connect failed: Connect error

Everything works fine over IPv4 with IPv6 disabled. Other services work fine over IPv6. 
I vaguely remember from the bug 8910 that Samba should prefer IPv4 when both are available, but I'm not 100% sure and not seeing it happening.
Comment 1 Alex K 2014-07-11 18:24:55 UTC
Created attachment 10101 [details]
starttls-error.tcp.dump

tcpdump of ipv6 session between Samba server and the DC.