Bug 10729 - Samba has a wrong "Dual-Stack" implementation (I think).
Samba has a wrong "Dual-Stack" implementation (I think).
Status: NEEDINFO
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other
4.1.6
All Linux
: P5 major
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-19 16:31 UTC by Thiago Martins
Modified: 2014-11-10 14:54 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thiago Martins 2014-07-19 16:31:30 UTC
Guys,

I'm facing the following problem too:
https://lists.samba.org/archive/samba/2013-March/172230.html

NOTE: I just posted this message on Samba mail list but, this seems to be a BUG, so, I'm opening it here...

---
I'm seeing that the problem is:

* samba-tool must use IPv6 ONLY IF the machine have IPv6.
* samba-tool must be able to join a IPv4-Only Secondary DC, into a Dual-Stacked "Samba4 AC DC", I think...
---

I have two `Samba4 AC DC`, both located in my office, dual-stacked, working like a charm.

Now, I need to deploy a third DC, located within Amazon EC2, which does NOT have IPv6. But samba-tool fails to join it.

How can I workaround this? Without enabling a tunneled IPv6 within my EC2...

---
Exemplifying:

1- ubuntu-ad-1 - Master - ok - office LAN1 - IPv4 / IPv6
2- ubuntu-ad-2 - Slave1 - ok - office LAN2 - IPv4 / IPv6

3- ubuntu-ad-3 - Slave2 - can't join - AWS EC2 VPC - IPv4-Only
---

At "ubuntu-ad-3", its DNS (resolv.conf) points to "IPv4 of ubuntu-ad-1 and 2", Kerberos works:

---
root@ubuntu-ad-3:~# kinit administrator
Password for administrator@CENTRAL.DOMAIN.COM.BR:
Warning: Your password will expire in 40 days on Thu 28 Aug 2014 05:56:10 PM UTC
---

But, samba-tool, when it sees the AAAA record, it then tries to use it, even if its host doesn't have IPv6 connectivity. I understand that IPv6 should be preferred but, only when the machine have it enabled...

---
root@ubuntu-ad-3:~# samba-tool domain join central.domain.com.br DC -Uadministrator --realm=CENTRAL.DOMAIN.COM.BR --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'central.domain.com.br'
ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'central.domain.com.br'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 552, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1150, in join_DC
    machinepass, use_ntvfs, dns_backend, promote_existing)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 76, in __init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 262, in find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" % domain)
---

When debugging it with `strace`, I see:

---
strace -f -e trace=network samba-tool domain join CENTRAL.DOMAIN.COM.BR DC -Uadministrator --realm=CENTRAL.DOMAIN.COM.BR --dns-backend=BIND9_DLZ
.....
[pid 1533] +++ killed by SIGKILL +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1533, si_status=SIGKILL, si_utime=0, si_stime=0} ---
socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
setsockopt(5, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0
connect(5, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6, "2008:291:XXX:85Xa::66XX", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 ENETUNREACH (Network is unreachable)
ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'CENTRAL.DOMAIN.COM.BR'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 552, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1150, in join_DC
    machinepass, use_ntvfs, dns_backend, promote_existing)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 76, in __init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 262, in find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" % domain)
+++ exited with 255 +++
---

As a workaround, how can I force samba-tool to use IPv4? Since my `ubuntu-ad-3` doesn't have IPv6...

Thanks!
Thiago
Comment 1 Thiago Martins 2014-07-20 23:27:17 UTC
Guys,

 In fact, I just realized that Samba4 does not support joining a IPv4-Only secondary DC, into a dual-stacked "Samba4 AC DC". Or I'm doing something wrong...

 I see this as a major limitation of the solution, since it obligates the administrator to activate IPv6 for every network at the same time.

 It would be really awesome to see A IPv4-Only DC, joining into a Dual-Stacked PDC!

 Now, to be able to use Samba4 as a Secondary DC within Amazon EC2 (which doesn't have IPv6), I'll need to re-provision my entire office network (Samba4-AC-DC LAN domain), without IPv6... This is very sad...   :'(

Regards,
Thiago
Comment 2 Thiago Martins 2014-08-24 22:18:01 UTC
Hey guys,

AFAIK, and from what I'm seeing, Samba4 (AD DC) have a wrong Dual-Stacked implementation.

I mean, for example, look at the `telnet` client:

---
tmartins@station-1:~$ host file-server
file-server.domain.com.br has address 172.16.0.100
file-server.domain.com.br has IPv6 address 2008:129X:250:10:20c:29ff:fe71:5bda

Now, if `station-1` have IPv6, then, "telnet file-server 22", for example, will try to connect via IPv6 first BUT, if `station-1` does NOT have IPv6, then, `telnet` client will try to connect via IPv4. This is an example of a good dual-stacked implementation...
---

But, Samba does not behave like that.

I'm seeing that Samba4, when it sees an AAAA record (IPv6 address), then, it tries to connect to that host ONLY via IPv6, even if its own host does NOT have IPv6 connectivity. This seems to be wrong. It does not fallback to IPv4, if it does not have IPv6.

I really need to be able to `net ads join` a Secondary DC, that is IPv4-Only, into a domain that is controlled by a Dual-Stacked PDC. That simple does not work today because Samba4, running at an IPv4-Only host, tries to connect to a Dual-Stacked PDC, using its AAAA record (IPv6), which will fail.

And that is not only a "samba-tool" fault, Samba daemons also have this problem too. I know that because, if you take an IPv4-Only Samba4 environment, that have two IPv4-Only Domain Controles and then, right after enabling an IPv6 Address at the PDC, immediately, all the others DCs will start trying to connect to PDC (replication and etc) via IPv6, which is wrong...

Right now, if you want to start deploying IPv6 in your Samba 4 domain(s), like a Corporate Network, it obligates you to enable it, simultaneously, in all DCs. You can not have a dual-stacked PDC alongside with a IPv4-Only BDC.

Regards,
Thiago
Comment 3 Jeremy Allison 2014-09-26 17:32:02 UTC
I know at least smbd and winbindd work in a dual IPv6/v4 stack. Not sure about the client tools or samba-tool.

Can you give specific steps to reproduce, then I can go through and work on the code ?

Thanks,

Jeremy.
Comment 4 Björn Jacke 2014-11-10 11:01:39 UTC
Jeremy: reproducing of the IP setup should be easy with /etc/hosts giving a some host a random IPv6 and the real IPv4 address there and make sure that you have no IPv6 route to the defined v6 address.

I tried to reproduce it this way:

2001::1         v64test
192.168.1.2     v64test

smbclient has no issues connecting to v64test.

"samba-tool dns query v64test example.com example.com ALL" also tries to talk to both IPs

Thiago: Does this samba-tool command also work this way for you with dual stack and fall-back to v4 or v6?
Comment 5 Thiago Martins 2014-11-10 14:54:25 UTC
Guys,

I'll provide, this week, a complete step-by-step for you guys to reproduce the problem.

Cheers!
Thiago