Bug 12381 - cldap netlogon send fails when IPv6 disabled but DNS returns IPv6 addresses.
Summary: cldap netlogon send fails when IPv6 disabled but DNS returns IPv6 addresses.
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-17 17:06 UTC by Jeremy Allison
Modified: 2016-10-25 07:55 UTC (History)
2 users (show)

See Also:

Attachments
git-am fix for master. (1.63 KB, patch)
2016-10-17 17:15 UTC, Jeremy Allison 		no flags Details
git-am fix for master. (2.23 KB, patch)
2016-10-17 18:38 UTC, Jeremy Allison 		no flags Details
git-am fix for 4.5.next, 4.4.next. (2.55 KB, patch)
2016-10-19 00:22 UTC, Jeremy Allison 		slow: review+
Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2016-10-17 17:06:44 UTC 
*Excellent* analysis from Rebecca Gellman <rebecca@starfleet-net.co.uk>:

So I did some digging into the source code, and I think I've found the
issue. Around line 120 of source3/libads/cldap.c:

for (i=0; i<num_servers; i++) {
  NTSTATUS status;

  status = cldap_socket_init(state->cldap,
    NULL, /* local_addr */
    state->servers[i],
    &state->cldap[i]);

  if (tevent_req_nterror(req, status)) {
    return tevent_req_post(req, ev);
  }

  /* Code omitted for brevity */

}

This is in cldap_multi_netlogon_send(), a function that sends CLDAP
requests to multiple DCs in one go. The loop here sets up a socket for
each DC. cldap_socket_init() in turn (possibly several calls deeper)
sets up the UDP socket, and calls connect() on it, which fails with
"Network unreachable". This bubbles up the chain and comes back to
cldap_multi_netlogon_send() as NT_STATUS_NETWORK_UNREACHABLE.

Note however the return from the function: it returns an error if *any*
of the servers queried returned an error, even if any of them succeeded.


In my case, even though server 0 (IPv4) succeeds, this call returns an
error because server 1 (IPv6) could not be reached.

To reiterate, this is in Samba 4.2.10, which ships with Debian 8
(Jessie), and occurs when running "net ads workgroup".
Comment 1 Jeremy Allison 2016-10-17 17:15:14 UTC 
Created attachment 12584 [details]
git-am fix for master.
Comment 2 Jeremy Allison 2016-10-17 18:38:45 UTC 
Created attachment 12585 [details]
git-am fix for master.
Comment 3 Jeremy Allison 2016-10-19 00:22:11 UTC 
Created attachment 12591 [details]
git-am fix for 4.5.next, 4.4.next.

With cherry-pick from master info included. Ralph please review !
Comment 4 Ralph Böhme 2016-10-19 05:46:02 UTC 
Reassigning to Karolin for inclusion in 4.4 and 4.5.
Comment 5 Karolin Seeger 2016-10-19 08:00:21 UTC 
(In reply to Ralph Böhme from comment #4)
Pushed to autobuild-v4-{5,4}-test.
Comment 6 Karolin Seeger 2016-10-25 07:55:43 UTC 
(In reply to Karolin Seeger from comment #5)
Pushed to both branches.
Closing out bug report.

Thanks!