Bug 14021 - v4.8: 'samba-tool domain join dc' fails against Windows 2003 or 2008 (non-R2) DC
v4.8: 'samba-tool domain join dc' fails against Windows 2003 or 2008 (non-R2) DC
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.8.0
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-01 00:12 UTC by Tim Beale
Modified: 2019-08-06 07:53 UTC (History)
1 user (show)

See Also:


Attachments
Backport for v4.10 and v4.9 (2.43 KB, patch)
2019-07-05 01:27 UTC, Tim Beale
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Beale 2019-07-01 00:12:45 UTC
Samba can no longer join to Windows 2003 or Windows 2008 (non-R2) DC. It hits an error like this:

Partition[CN=Configuration,DC=addom,DC=samba,DC=example,DC=com] objects[402/1618] linked_values[0/1]
Partition[CN=Configuration,DC=addom,DC=samba,DC=example,DC=com] objects[804/1618] linked_values[0/1]
Partition[CN=Configuration,DC=addom,DC=samba,DC=example,DC=com] objects[1206/1618] linked_values[0/1]
Partition[CN=Configuration,DC=addom,DC=samba,DC=example,DC=com] objects[1608/1618] linked_values[0/1]
Partition[CN=Configuration,DC=addom,DC=samba,DC=example,DC=com] objects[1618/1618] linked_values[32/32]
Failed to commit objects: DOS code 0x000021bf
Join failed - cleaning up
Wrong username or password: kinit for CLIENT$@ADDOM.SAMBA.EXAMPLE.COM failed (Preauthentication failed)

Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
Failed to connect to 'ldap://addc.addom.samba.example.com' with backend 'ldap': LDAP error 49 LDAP_INVALID_CREDENTIALS -  <8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1> <>
Deleted CN=CLIENT,OU=Domain Controllers,DC=addom,DC=samba,DC=example,DC=com
Deleted CN=NTDS Settings,CN=CLIENT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
Deleted CN=CLIENT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
ERROR(runtime): uncaught exception - (8639, "Failed to process 'chunk' of DRS replicated objects: DOS code 0x000021bf")
  File "bin/python/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "bin/python/samba/netcmd/domain.py", line 700, in run
    backend_store=backend_store)
  File "bin/python/samba/join.py", line 1540, in join_DC
    ctx.do_join()
  File "bin/python/samba/join.py", line 1434, in do_join
    ctx.join_replicate()
  File "bin/python/samba/join.py", line 970, in join_replicate
    replica_flags=ctx.replica_flags)
  File "bin/python/samba/drs_utils.py", line 356, in replicate
    raise e
  File "bin/python/samba/drs_utils.py", line 343, in replicate
    self.process_chunk(level, ctr, schema, req_level, req, first_chunk)
  File "bin/python/samba/drs_utils.py", line 237, in process_chunk
    schema=schema, req_level=req_level, req=req)

Seen a couple of times on the samba list, e.g.
https://lists.samba.org/archive/samba/2019-June/224008.html

Work-around is to downgrade to Samba v4.7 to do the join.

Can reproduce this problem manually on the samba codebase by making the change below and then trying to join the same DC twice (which triggers the GET_TGT case).

diff --git a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
index 7e2b617..44e0dc4 100644
--- a/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
+++ b/source4/rpc_server/drsuapi/dcesrv_drsuapi.c
@@ -230,7 +230,7 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C
 #if 0 /* we don't support XPRESS compression yet */
        supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_XPRESS_COMPRESS;
 #endif
-       supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10;
+       //supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V10;
 
        /*
         * There is a chance for r->in.bind_info == NULL
Comment 1 Tim Beale 2019-07-05 01:27:32 UTC
Created attachment 15289 [details]
Backport for v4.10 and v4.9
Comment 2 Andrew Bartlett 2019-07-05 01:49:04 UTC
Comment on attachment 15289 [details]
Backport for v4.10 and v4.9

Looks good to me.
Comment 3 Karolin Seeger 2019-07-08 11:43:29 UTC
(In reply to Andrew Bartlett from comment #2)
Pushed to autobuild-v4-{10,9}-test.
Comment 4 Karolin Seeger 2019-08-06 07:53:50 UTC
(In reply to Karolin Seeger from comment #3)
Pushed to both branches.
Closing out bug report.

Thanks!