Created attachment 11090 [details] 0001-S4-dsdb-GC-LDAP-should-not-return-objects-from-Domai.patch Systems running "Windows Server 2008 R2 Foundation" joined as memberserver into a Samba 4.2 ADDS show this error popup: The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller. If the license compliant check cannot be completed, the server will automatically shut down in 9 day(s), 7 hour(s) 30 minute(s). The attached patch fixed this issue for us. Details about the patch can be found in the commit message. The corresponding client log entries exported from the MS Event Viewer are attached to the original posting https://lists.samba.org/archive/samba-technical/2015-February/105545.html , for the failure as well as for the success case. Since I didn't find detailed documentation about the behavior expected from a GC LDAP in this case (e.g. in [MS-ADTS]), my patch attempts to be very specific about the scope of the modified response to minimize collateral effects. Probably more research is required in this area, but the patch fixed the issue in the given case. This bug has been observed with 4.0.2-rc2 but the patch still applies to 4.2.1.
*** Bug 10175 has been marked as a duplicate of this bug. ***
As a note I've already started to implement a LDB_CONTROL_SEARCH_ALL_PARTITIONS_OID control. But I don't have time to finish it. Maybe someone can make use of some of the work I did in https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ldap https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=bb898b9f826a65d25531