Bug 10891 - Joining Samba3 BDC fails with Samba4.2 rc1
Summary: Joining Samba3 BDC fails with Samba4.2 rc1
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.2.0rc1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andreas Schneider
QA Contact: Samba QA Contact
Depends on: 10440
  Show dependency treegraph
Reported: 2014-10-22 15:52 UTC by Arvid Requate
Modified: 2016-07-31 02:42 UTC (History)
4 users (show)

See Also:

patch for master to allow join as a classic DC (6.64 KB, patch)
2014-10-22 23:56 UTC, Andrew Bartlett
no flags Details
v4-2-test patch (9.76 KB, patch)
2014-12-12 09:56 UTC, Andreas Schneider
gd: review+
v4-1-test patch (9.97 KB, patch)
2014-12-12 09:56 UTC, Andreas Schneider
gd: review-

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate 2014-10-22 15:52:36 UTC
Joining a classic Samba3/OpenLDAP BDC fails with Samba 4.2 rc1. The error message is "Machine is a Domain Controller".
Comment 1 Andrew Bartlett 2014-10-22 23:56:19 UTC
Created attachment 10365 [details]
patch for master to allow join as a classic DC

Ironically, I came across this over the past few months, particularly when looking at inter-domain trusts, but didn't think there was a real-world use case.  

I've tidied up the patches, and with Garming have added tests, and these are in autobuild.
Comment 2 Andrew Bartlett 2014-10-23 00:03:12 UTC
BTW, would you mind describing what you use the self-join for?  I think it is a great thing, and some code would be much easier if we could assume it was always present, but didn't expect it was done often.


Andrew Bartlett
Comment 3 Arvid Requate 2014-10-23 17:06:06 UTC
There was a time when a squid>NTLM>winbind authentication showed performance issues and "wbinfo -t" would fail on BDCs when they were not "joined into the domain". Maybe that changed in the meantime. Also "net rpc testjoin" indicates that the system is not a proper member of the domain, which at least is irritating. Thanks for the quick patch, it solved the issue in my tests.

I still get a message "No realm has been specified! Do you really want to join an Active Directory server?" which is related to the "create krb5 conf" parameter and looks like a bit weird question given that a net rpc join was performed. Configuring the "realm" parameter in smb.conf didn't silence the message. But this seems harmless.
Comment 4 Andreas Schneider 2014-12-12 09:56:01 UTC
Created attachment 10527 [details]
v4-2-test patch
Comment 5 Andreas Schneider 2014-12-12 09:56:41 UTC
Created attachment 10528 [details]
v4-1-test patch

This is real backport. Please review more carefully. Thanks!
Comment 6 Guenther Deschner 2014-12-12 09:59:29 UTC
Comment on attachment 10527 [details]
v4-2-test patch

looks good
Comment 7 Guenther Deschner 2014-12-12 10:03:05 UTC
Comment on attachment 10528 [details]
v4-1-test patch

4.1 does not have that issue, so no need to modify libnetjoin there.
Comment 8 Andreas Schneider 2014-12-12 11:23:47 UTC
If we ever add the schannel patch from bug #10440 we also need to apply the v4-2-test patch from here!
Comment 9 Andrew Bartlett 2016-07-31 02:42:11 UTC
Fixed in Samba 4.3 with b299409410751ff3c8c775bd073e34d914a54efc

Sadly this didn't get assigned to Karolin correctly so wasn't merged to 4.2 while that was in non-security maintenance.