Bug 13079 - Can't change password in samba from a windows client if samba runs on ipv6 only interface.
Summary: Can't change password in samba from a windows client if samba runs on ipv6 on...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Build (show other bugs)
Version: 4.6.8
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2017-10-10 09:24 UTC by Michael Alzheimer
Modified: 2017-11-01 08:57 UTC (History)
2 users (show)

See Also:

HAVE_IPV6 Patch for krb5_samba.c (940 bytes, patch)
2017-10-10 09:24 UTC, Michael Alzheimer
no flags Details
config.log of build process. (284.62 KB, application/gzip)
2017-10-11 06:33 UTC, Michael Alzheimer
no flags Details
git-am fix for 4.7.next, 4.6.next. (2.50 KB, patch)
2017-10-13 00:11 UTC, Jeremy Allison
jra: review? (metze)
bjacke: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Alzheimer 2017-10-10 09:24:33 UTC
Created attachment 13673 [details]
HAVE_IPV6 Patch for krb5_samba.c


during upgrading our whole system to ipv6, latest samba AD ( 3 DCs ) Version 4.6.8 and windows 10 clients i noticed the problem, that users are unable to change their password in the AD Domain from a Windows Client.

The samba DCs run on a ipv6 address (interfaces = 2a00:xxx:xxx::9; bind interfaces only = Yes). So does the Clients.
It is compiled by ourself in a custom sbuild environment. We took the 4.6.7 artful debian package and build a backport for 4.6.8 with xenial. (and of course the dependency packages: cmocka, talloc, tdb, tevent, ldb)
For digging into the bug it was compiled by standard configure mechanism on a latest xenial ubuntu with all packages updated.

During password change the windows clients always says that the domain is currently unavailable. (Login, joining, everything else works, only password changing does not)

After digging into it i found the problem in the krb5_samba.c file, Line150 and 183. The Part with "#if defined(HAVE_IPV6) && defined(KRB5_ADDRESS_INET6)" is not compiled. It pointed out that HAVE_IPV6 is set, but KRB5_ADDRESS_INET6 seems not to be set during compile time.

Our - i guess dirty - solution was, to add a patch "99_xx.diff" (see below):
With this patch we were able to build the 4.6.8 Samba on xenial as ubuntu package as well as standard configure way, and the clients are able to change their password now. - So, everything works now as expected.
Comment 1 Jeremy Allison 2017-10-11 00:36:39 UTC
Are you building this with the embedded heimdal, or with MIT kerberos ?
Comment 2 Michael Alzheimer 2017-10-11 06:31:46 UTC

it should be heimdal. From the debian build system it is configured with this command:

/usr/bin/python2.7 ./buildtools/bin/waf -v configure --prefix=/usr --enable-fhs --sysconfdir=/etc --localstatedir=/var --libexecdir=/usr/lib/x86_64-linux-gnu --with-privatedir=/var/lib/samba/private --with-smbpasswd-file=/etc/samba/smbpasswd --with-piddir=/var/run/samba --with-pammodulesdir=/lib/x86_64-linux-gnu/security --with-pam --with-syslog --with-utmp --with-winbind --with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2,vfs_dfs_samba4,auth_samba4 --with-automount --with-ldap --with-ads --with-dnsupdate --with-gpgme --libdir=/usr/lib/x86_64-linux-gnu --with-modulesdir=/usr/lib/x86_64-linux-gnu/samba --datadir=/usr/share --with-lockdir=/var/run/samba --with-statedir=/var/lib/samba --with-cachedir=/var/cache/samba --enable-avahi --disable-rpath --disable-rpath-install --bundled-libraries=NONE,pytevent,iniparser,roken,wind,hx509,asn1,heimbase,hcrypto,krb5,gssapi,heimntlm,hdb,kdc,com_err,compile_et,asn1_compile --builtin-libraries=replace,ccan,samba-cluster-support --minimum-library-version="" --with-cluster-support --with-socketpath=/var/run/ctdb/ctdbd.socket --with-logdir=/var/log/ctdb --with-systemd

I'll attach also the config.log.
Comment 3 Michael Alzheimer 2017-10-11 06:33:02 UTC
Created attachment 13678 [details]
config.log of build process.
Comment 4 Jeremy Allison 2017-10-13 00:11:01 UTC
Created attachment 13682 [details]
git-am fix for 4.7.next, 4.6.next.

Cherry-pick from master.
Comment 5 Jeremy Allison 2017-10-13 21:45:09 UTC
Re-assigning to Kaolin for inclusion in 4.7.x, 4.6.x.
Comment 6 Karolin Seeger 2017-10-24 10:58:19 UTC
(In reply to Jeremy Allison from comment #5)
Pushed to autobuild-v4-{7,6}-test.
Comment 7 Karolin Seeger 2017-11-01 08:57:16 UTC
(In reply to Karolin Seeger from comment #6)
Pushed to both branches.
Closing out bug report.