Guys, I'm facing the following problem too: https://lists.samba.org/archive/samba/2013-March/172230.html NOTE: I just posted this message on Samba mail list but, this seems to be a BUG, so, I'm opening it here... --- I'm seeing that the problem is: * samba-tool must use IPv6 ONLY IF the machine have IPv6. * samba-tool must be able to join a IPv4-Only Secondary DC, into a Dual-Stacked "Samba4 AC DC", I think... --- I have two `Samba4 AC DC`, both located in my office, dual-stacked, working like a charm. Now, I need to deploy a third DC, located within Amazon EC2, which does NOT have IPv6. But samba-tool fails to join it. How can I workaround this? Without enabling a tunneled IPv6 within my EC2... --- Exemplifying: 1- ubuntu-ad-1 - Master - ok - office LAN1 - IPv4 / IPv6 2- ubuntu-ad-2 - Slave1 - ok - office LAN2 - IPv4 / IPv6 3- ubuntu-ad-3 - Slave2 - can't join - AWS EC2 VPC - IPv4-Only --- At "ubuntu-ad-3", its DNS (resolv.conf) points to "IPv4 of ubuntu-ad-1 and 2", Kerberos works: --- root@ubuntu-ad-3:~# kinit administrator Password for administrator@CENTRAL.DOMAIN.COM.BR: Warning: Your password will expire in 40 days on Thu 28 Aug 2014 05:56:10 PM UTC --- But, samba-tool, when it sees the AAAA record, it then tries to use it, even if its host doesn't have IPv6 connectivity. I understand that IPv6 should be preferred but, only when the machine have it enabled... --- root@ubuntu-ad-3:~# samba-tool domain join central.domain.com.br DC -Uadministrator --realm=CENTRAL.DOMAIN.COM.BR --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'central.domain.com.br' ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'central.domain.com.br' File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1150, in join_DC machinepass, use_ntvfs, dns_backend, promote_existing) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 76, in __init__ ctx.server = ctx.find_dc(domain) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 262, in find_dc raise Exception("Failed to find a writeable DC for domain '%s'" % domain) --- When debugging it with `strace`, I see: --- strace -f -e trace=network samba-tool domain join CENTRAL.DOMAIN.COM.BR DC -Uadministrator --realm=CENTRAL.DOMAIN.COM.BR --dns-backend=BIND9_DLZ ..... [pid 1533] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1533, si_status=SIGKILL, si_utime=0, si_stime=0} --- socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5 setsockopt(5, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0 connect(5, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6, "2008:291:XXX:85Xa::66XX", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 ENETUNREACH (Network is unreachable) ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'CENTRAL.DOMAIN.COM.BR' File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1150, in join_DC machinepass, use_ntvfs, dns_backend, promote_existing) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 76, in __init__ ctx.server = ctx.find_dc(domain) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 262, in find_dc raise Exception("Failed to find a writeable DC for domain '%s'" % domain) +++ exited with 255 +++ --- As a workaround, how can I force samba-tool to use IPv4? Since my `ubuntu-ad-3` doesn't have IPv6... Thanks! Thiago
Guys, In fact, I just realized that Samba4 does not support joining a IPv4-Only secondary DC, into a dual-stacked "Samba4 AC DC". Or I'm doing something wrong... I see this as a major limitation of the solution, since it obligates the administrator to activate IPv6 for every network at the same time. It would be really awesome to see A IPv4-Only DC, joining into a Dual-Stacked PDC! Now, to be able to use Samba4 as a Secondary DC within Amazon EC2 (which doesn't have IPv6), I'll need to re-provision my entire office network (Samba4-AC-DC LAN domain), without IPv6... This is very sad... :'( Regards, Thiago
Hey guys, AFAIK, and from what I'm seeing, Samba4 (AD DC) have a wrong Dual-Stacked implementation. I mean, for example, look at the `telnet` client: --- tmartins@station-1:~$ host file-server file-server.domain.com.br has address 172.16.0.100 file-server.domain.com.br has IPv6 address 2008:129X:250:10:20c:29ff:fe71:5bda Now, if `station-1` have IPv6, then, "telnet file-server 22", for example, will try to connect via IPv6 first BUT, if `station-1` does NOT have IPv6, then, `telnet` client will try to connect via IPv4. This is an example of a good dual-stacked implementation... --- But, Samba does not behave like that. I'm seeing that Samba4, when it sees an AAAA record (IPv6 address), then, it tries to connect to that host ONLY via IPv6, even if its own host does NOT have IPv6 connectivity. This seems to be wrong. It does not fallback to IPv4, if it does not have IPv6. I really need to be able to `net ads join` a Secondary DC, that is IPv4-Only, into a domain that is controlled by a Dual-Stacked PDC. That simple does not work today because Samba4, running at an IPv4-Only host, tries to connect to a Dual-Stacked PDC, using its AAAA record (IPv6), which will fail. And that is not only a "samba-tool" fault, Samba daemons also have this problem too. I know that because, if you take an IPv4-Only Samba4 environment, that have two IPv4-Only Domain Controles and then, right after enabling an IPv6 Address at the PDC, immediately, all the others DCs will start trying to connect to PDC (replication and etc) via IPv6, which is wrong... Right now, if you want to start deploying IPv6 in your Samba 4 domain(s), like a Corporate Network, it obligates you to enable it, simultaneously, in all DCs. You can not have a dual-stacked PDC alongside with a IPv4-Only BDC. Regards, Thiago
I know at least smbd and winbindd work in a dual IPv6/v4 stack. Not sure about the client tools or samba-tool. Can you give specific steps to reproduce, then I can go through and work on the code ? Thanks, Jeremy.
Jeremy: reproducing of the IP setup should be easy with /etc/hosts giving a some host a random IPv6 and the real IPv4 address there and make sure that you have no IPv6 route to the defined v6 address. I tried to reproduce it this way: 2001::1 v64test 192.168.1.2 v64test smbclient has no issues connecting to v64test. "samba-tool dns query v64test example.com example.com ALL" also tries to talk to both IPs Thiago: Does this samba-tool command also work this way for you with dual stack and fall-back to v4 or v6?
Guys, I'll provide, this week, a complete step-by-step for you guys to reproduce the problem. Cheers! Thiago
no feedback, closing as WORKSFORME. I assume you have a IPv6 route there, which is not working. We're not implementing Happy Eyeballs and don't want to do that. In case you have a v4 only host without a broken v6 route, then you should be able to run that.