Bug 11006 - 'domain join' fails - 'drsuapi.DsBindInfoFallBack' has no attribute 'supported_extensions'
Summary: 'domain join' fails - 'drsuapi.DsBindInfoFallBack' has no attribute 'supporte...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.1.14
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2014-12-14 04:00 UTC by James David Howard
Modified: 2015-03-13 08:22 UTC (History)
2 users (show)

See Also:

--debuglevel=10 transcript (15.77 KB, text/plain)
2014-12-14 04:00 UTC, James David Howard
no flags Details
Patches for v4-1-test (29.52 KB, patch)
2014-12-15 09:32 UTC, Stefan Metzmacher
abartlet: review+
Patches for v4-0-test (29.52 KB, patch)
2014-12-15 09:33 UTC, Stefan Metzmacher
metze: review? (abartlet)

Note You need to log in before you can comment on or make changes to this bug.
Description James David Howard 2014-12-14 04:00:35 UTC
Created attachment 10532 [details]
--debuglevel=10 transcript

Attempting to join existing Windows AD as 2nd AD/DC.  Windows AD/DC is 2012R2 domain named "jdh-19550516.local".  Prerequisites listed on Samba WiKi page "Joining an Domain as a DC" - including /etc/hosts, Kerberos kinit verification, DNS adjustments, avoidance of mDNS problems, and samba version checking - have all been done or 'passed'.

  # samba-tool domain join JDH-19550516.local DC -UAdministrator \
  > --realm=JDH-19550516.local --dns-backend=SAMBA_INTERNAL
on Fedora 21 x86_64 machine, running fresh-built and -installed 4.1.14. "Administrator" password accepted, then join fails with:
  Join failed - cleaning up
  checking sAMAccountName
  Deleted CN=DC-02,OU=Domain Controllers,DC=JDH-19550516,DC=local
  Deleted CN=DC-02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=JDH-19550516,DC=local
  ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'drsuapi.DsBindInfoFallBack' object has no attribute 'supported_extensions'
    File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
      return self.run(*args, **kwargs)
    File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 555, in run
      machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
    File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/join.py", line 1172, in join_DC
    File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/join.py", line 1075, in do_join
    File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/join.py", line 541, in join_add_objects
    File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/join.py", line 474, in join_add_ntdsdsa
    File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/join.py", line 384, in DsAddEntry
    File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/join.py", line 363, in drsuapi_connect
      (ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drs_DsBind(ctx.drsuapi)
  File "/opt/samba/4.1.14/lib64/python2.7/site-packages/samba/drs_utils.py", line 144, in drs_DsBind
    return (handle, info.info.supported_extensions)

A more detailed log of the failed domain join transcript attempted with --debuglevel=10 is attached.
Comment 1 Stefan Metzmacher 2014-12-15 09:32:16 UTC
I think this is already fixed in master and v4-2.
Comment 2 Stefan Metzmacher 2014-12-15 09:32:44 UTC
Created attachment 10542 [details]
Patches for v4-1-test
Comment 3 Stefan Metzmacher 2014-12-15 09:33:17 UTC
Created attachment 10543 [details]
Patches for v4-0-test
Comment 4 James David Howard 2014-12-15 22:31:32 UTC
I am rebuilding with patches now.

Question, if I may?  Is this something new that MSFT has done with the AD / DC of the 2012R2 (Windows 8.1 Server) code family?
Comment 5 James David Howard 2014-12-16 04:18:42 UTC
Upon building 4.1.14 with provided patches, I encountered the Domain and Forest operating level issue - Bugid # 10265.  I used the workaround in that bug report - downgrading the Forest and Domain functional levels to Win2k8R2 - to complete a join.

However, this thought comes to mind: If the Win2k12R2 AD is operating at this reduced level, would it have NOT presented RPC records of the kinds/sizes causing my original error in this bug report?

Because the 4.1.* family of Samba is likely to never support Domain and Forest levels Win2k12R2 (and Win2k12?), maybe the right "fix" for this bug is simply detecting the other DC is trying to communicate at an unsupported higher level, and refer the administrator to the Domain and Forest operating level downgrade procedure???
Comment 6 Andrew Bartlett 2015-01-02 20:03:30 UTC
Yes, this was a change made by Microsoft for Windows 2012.
Comment 7 Stefan Metzmacher 2015-01-03 23:30:15 UTC
Karolin, please pick for the next 4.1 release.

Andrew, can we also get this into the next 4.0 release?
Comment 8 Karolin Seeger 2015-01-06 20:29:34 UTC
(In reply to Stefan (metze) Metzmacher from comment #7)
Pushed to autobuild-v4-1-test.
Comment 9 Andrew Bartlett 2015-01-07 02:50:41 UTC
(In reply to Stefan (metze) Metzmacher from comment #7)
Should we be trying to enable 2012 with 4.0?  

If you actually ran the patches, and they work, I guess I'm OK, but I'm hesitant about setting expectations that we fix everything in every branch, even new features like 2012 support.
Comment 10 Karolin Seeger 2015-01-14 20:13:13 UTC
Pushed to v4-1-test.

Re-assigning to Andrew to decide if it can be closed now.
Comment 11 Stefan Metzmacher 2015-03-13 08:22:48 UTC
Andrew, net rpc vampire keytab will also fail because of this against a windows 2012* dc.

But 4.0 is in security patch mode now...