Bug 15548 - samba-gpupdate --rsop fails if machine is not in a site
Summary: samba-gpupdate --rsop fails if machine is not in a site
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.19.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
Depends on:
Reported: 2024-01-05 15:05 UTC by Andreas Schneider
Modified: 2024-02-19 10:47 UTC (History)
4 users (show)

See Also:

potential fix (2.36 KB, patch)
2024-01-05 15:50 UTC, David Mulder
no flags Details
patch for 4.19 (2.60 KB, patch)
2024-01-23 15:09 UTC, Andreas Schneider
asn: review? (dmulder)
pfilipensky: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2024-01-05 15:05:45 UTC
If you install an AD DC with Certificate Server and then just join a domain member, samba-gpupdate doesn't work.

It fails to find the site name.

[root@ip-10-0-192-159 ~]# /usr/sbin/samba-gpupdate --rsop
Traceback (most recent call last):
  File "/usr/lib64/python3.9/site-packages/samba/gp/gpclass.py", line 764, in site_dn_for_machine
    site_name = c.netr_DsRGetSiteName(hostname)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/sbin/samba-gpupdate", line 131, in <module>
    rsop(lp, creds, store, gp_extensions, username, opts.target)
  File "/usr/lib64/python3.9/site-packages/samba/gp/gpclass.py", line 1041, in rsop
    gpos = get_gpo_list(dc_hostname, creds, lp, username)
  File "/usr/lib64/python3.9/site-packages/samba/gp/gpclass.py", line 869, in get_gpo_list
    site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username)
  File "/usr/lib64/python3.9/site-packages/samba/gp/gpclass.py", line 772, in site_dn_for_machine
    raise ldb.LdbError(ldb.ERR_NO_SUCH_OBJECT,
_ldb.LdbError: (32, 'site_dn_for_machine: no result')
signed SMB2 message (sign_algo_id=1)

Do you need to manually add it?
Should the code fall back to the default in this case?
The current situation is bad for a user, he will probably be clueless what the issue is and what to do.
Comment 1 David Mulder 2024-01-05 15:13:13 UTC
Isn't this fixed by 4486d686f5c9404acc6fff7bc67432f14cac5800?
I think you just need to backport it.
Comment 2 David Mulder 2024-01-05 15:15:44 UTC
Oh, I see. It's failing in the fallback case.
Comment 3 Andreas Schneider 2024-01-05 15:18:39 UTC
Check the traceback from the description, the fallback code also fails!

I created a ldbsearch query from the filter of the fallback code:

ldbsearch -H ldap://ad.smb.com '(cn=ip10159)' --scope=sub -b 'cn=configuration,dc=smb,dc=com' dn

It doesn't return anything. If I change cn=ip10159 to cn=ad (the name of the DC) it works.
Comment 4 Andreas Schneider 2024-01-05 15:20:34 UTC
Aren't only DCs in the Site?

I can only see the DC in the Default-First-Site-Name and nothing else. Why would a machine be added there. Normally it is ip address base. If you are in range you get directed to that DC.
Comment 5 David Mulder 2024-01-05 15:22:22 UTC
(In reply to Andreas Schneider from comment #4)

Ah, I see I missed a step in the spec. [MS-GPOL] Site Search says:
"This procedure is skipped if Machine Role is equal to DsRole_RoleStandaloneWorkstation or DsRole_RoleStandaloneServer". So we shouldn't make this call unless it's called from a DC, IIUC.
Comment 6 David Mulder 2024-01-05 15:23:25 UTC
(In reply to David Mulder from comment #5)

What exactly does 'RoleStandalone' mean in this case?
Comment 7 David Mulder 2024-01-05 15:24:45 UTC
(In reply to David Mulder from comment #6)

Well, this tidbit is also important:
"If the method returns ERROR_NO_SITENAME, the remainder of this message MUST be skipped and the protocol sequence MUST continue at GPO Search (section ."

So, if we fail here, we should just skip linking GPOs by site.
Comment 8 Andreas Schneider 2024-01-05 15:28:26 UTC
Workstation could mean it is a Windows 10 workstation as a domain member, and server could mean it is a Windows Server as a domain member providing SMB. But I don't really now.

You would need to ask dochelp for a clarification.
Comment 9 Andreas Schneider 2024-01-05 15:30:31 UTC
Funny thing is that it returns WERR_INVALID_COMPUTERNAME which isn't documented :-)
Comment 10 David Mulder 2024-01-05 15:31:59 UTC
(In reply to Andreas Schneider from comment #9)

I'm writing to dochelp now (CC'ing you and cifs-protocol). Also I'm testing a potential fix, and will upload here. We'll need to more clarification from MS to fix this properly, I think.
Comment 11 David Mulder 2024-01-05 15:39:03 UTC
(In reply to Andreas Schneider from comment #9)

Is this a Samba server, or Windows? I don't want to ask them why we're getting the wrong error if it isn't even coming from a Windows server ;)
Comment 12 Denis Karpelevich 2024-01-05 15:44:36 UTC
(In reply to David Mulder from comment #11)
It's a Windows Server 2022
Comment 13 David Mulder 2024-01-05 15:50:20 UTC
Created attachment 18219 [details]
potential fix
Comment 14 Andreas Schneider 2024-01-05 18:48:52 UTC
Windows Server 2002

root@samba1:~# rpcclient ncacn_np:earth.milkyway.site -UAdministrator
rpcclient $> dsr_getsitename samba1
rpccli_netlogon_dsr_gesitename returned NT_STATUS_INVALID_COMPUTER_NAME

It obviously returns a different error than documented ...
Comment 15 Samba QA Contact 2024-01-23 11:21:03 UTC
This bug was referenced in samba master:

Comment 16 Andreas Schneider 2024-01-23 15:09:20 UTC
Created attachment 18234 [details]
patch for 4.19
Comment 17 Andreas Schneider 2024-01-26 10:03:50 UTC
Jule, please apply the patch to 4.19. Thanks!
Comment 18 Jule Anger 2024-01-29 10:43:26 UTC
Pushed to autobuild-v4-19-test.
Comment 19 Samba QA Contact 2024-01-29 12:00:13 UTC
This bug was referenced in samba v4-19-test:

Comment 20 Jule Anger 2024-01-29 12:06:27 UTC
Closing out bug report.

Comment 21 Samba QA Contact 2024-02-19 10:47:24 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.5):