Bug 12381 - cldap netlogon send fails when IPv6 disabled but DNS returns IPv6 addresses.
cldap netlogon send fails when IPv6 disabled but DNS returns IPv6 addresses.
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
unspecified
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-17 17:06 UTC by Jeremy Allison
Modified: 2016-10-25 07:55 UTC (History)
2 users (show)

See Also:


Attachments
git-am fix for master. (1.63 KB, patch)
2016-10-17 17:15 UTC, Jeremy Allison
no flags Details
git-am fix for master. (2.23 KB, patch)
2016-10-17 18:38 UTC, Jeremy Allison
no flags Details
git-am fix for 4.5.next, 4.4.next. (2.55 KB, patch)
2016-10-19 00:22 UTC, Jeremy Allison
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2016-10-17 17:06:44 UTC
*Excellent* analysis from Rebecca Gellman <rebecca@starfleet-net.co.uk>:

So I did some digging into the source code, and I think I've found the
issue. Around line 120 of source3/libads/cldap.c:

for (i=0; i<num_servers; i++) {
  NTSTATUS status;

  status = cldap_socket_init(state->cldap,
    NULL, /* local_addr */
    state->servers[i],
    &state->cldap[i]);

  if (tevent_req_nterror(req, status)) {
    return tevent_req_post(req, ev);
  }

  /* Code omitted for brevity */

}

This is in cldap_multi_netlogon_send(), a function that sends CLDAP
requests to multiple DCs in one go. The loop here sets up a socket for
each DC. cldap_socket_init() in turn (possibly several calls deeper)
sets up the UDP socket, and calls connect() on it, which fails with
"Network unreachable". This bubbles up the chain and comes back to
cldap_multi_netlogon_send() as NT_STATUS_NETWORK_UNREACHABLE.

Note however the return from the function: it returns an error if *any*
of the servers queried returned an error, even if any of them succeeded.


In my case, even though server 0 (IPv4) succeeds, this call returns an
error because server 1 (IPv6) could not be reached.

To reiterate, this is in Samba 4.2.10, which ships with Debian 8
(Jessie), and occurs when running "net ads workgroup".
Comment 1 Jeremy Allison 2016-10-17 17:15:14 UTC
Created attachment 12584 [details]
git-am fix for master.
Comment 2 Jeremy Allison 2016-10-17 18:38:45 UTC
Created attachment 12585 [details]
git-am fix for master.
Comment 3 Jeremy Allison 2016-10-19 00:22:11 UTC
Created attachment 12591 [details]
git-am fix for 4.5.next, 4.4.next.

With cherry-pick from master info included. Ralph please review !
Comment 4 Ralph Böhme 2016-10-19 05:46:02 UTC
Reassigning to Karolin for inclusion in 4.4 and 4.5.
Comment 5 Karolin Seeger 2016-10-19 08:00:21 UTC
(In reply to Ralph Böhme from comment #4)
Pushed to autobuild-v4-{5,4}-test.
Comment 6 Karolin Seeger 2016-10-25 07:55:43 UTC
(In reply to Karolin Seeger from comment #5)
Pushed to both branches.
Closing out bug report.

Thanks!