- 'net ads join' can create machine account at DC1 - keytab_create code triggered the join tries to read KVNO from DC2 and fails with e.g. gensec_gse_client_prepare_ccache: Kinit for F0D26C71F6$@SAMBA.EXAMPLE.COM to access ldap/dc2.samba.example.com failed: Client not found in Kerberos database: NT_STATUS_LOGON_FAILURE Fix will follow
This bug was referenced in samba master: 5d2f60ae5aa96751b74901ae5384291ef338b152 36f6ac547c09f492d1dcab11570e8bcbd377cf26 5d1d3a8b568b5a07ed1ed537d20aa93820cecc14
Created attachment 18706 [details] 4.22 patch
Created attachment 18707 [details] 4.21 patch
Comment on attachment 18706 [details] 4.22 patch LGTM
Comment on attachment 18707 [details] 4.21 patch LGTM
Jule, please push to corresponding releases. Thank you!
@Pavel, should we also do 4.23 backport?
Created attachment 18710 [details] 4.23 patch
Comment on attachment 18710 [details] 4.23 patch LGTM
Pushed to autobuild-v4-{23,22,21}-test.
This bug was referenced in samba v4-23-test: 65181b65b83f038e1f36ebfe094e17655fcf973d 5294b24f6e2df1906830638ab50b5967d546f765 5bbb682b0fc5852ef6ea21a7ee51b545481efc46
This bug was referenced in samba v4-22-test: b26cc594a1e4e787a98164ded77be7b2ef152cb9 0034b13f23ab9d16d62dbf0619e24233c520dae3 6ee4a2bfcbdd432687a96caab69914b8b92abdbd
This bug was referenced in samba v4-21-test: 393e35dca2bb83492c879c9d044f2505daef377b 015c3ef6c1040ca64d29ae95ade7cc8970929b25 d1a778414e178bb1a3495d391d6f55ab883e8903
Closing out bug report. Thanks!
This bug was referenced in samba v4-23-stable (Release samba-4.23.0): 65181b65b83f038e1f36ebfe094e17655fcf973d 5294b24f6e2df1906830638ab50b5967d546f765 5bbb682b0fc5852ef6ea21a7ee51b545481efc46
This bug was referenced in samba v4-22-stable (Release samba-4.22.6): b26cc594a1e4e787a98164ded77be7b2ef152cb9 0034b13f23ab9d16d62dbf0619e24233c520dae3 6ee4a2bfcbdd432687a96caab69914b8b92abdbd
This bug was referenced in samba v4-21-stable (Release samba-4.21.10): 393e35dca2bb83492c879c9d044f2505daef377b 015c3ef6c1040ca64d29ae95ade7cc8970929b25 d1a778414e178bb1a3495d391d6f55ab883e8903
One question: The test has "password server = $DC_SERVER", but the join happens against "$SERVER" via -S$SERVER. In the vampire_dc:member environment both are different. Also, the "leave" command runs without -S. A few test runs fail in the leave state, because the account did not replicate fast enough. Is there a reason for this behaviour?
One fix might be to add -S"$SERVER" to the "leave" line. Is that correct?
Commits 5d1d3a8 and 3459eeb were addressing problems with 'join', but missed the 'leave'. During net ads join: 1. Machine account is created on a specific DC (e.g. localvampiredc when using -S) 2. Subsequent operations (keytab sync, etype updates, ...) must contact the same DC 3. If they contact a different DC, the account might not be replicated yet The fixes ensured all operations during join use the same DC by: - Passing r->in.dc_name to sync_pw2keytabs() - Setting dns_lookup_kdc=false in krb5.conf to prevent Kerberos from picking different DC But the commits do not address "quick join-leave cycle". If 'leave' contacts a different DC than join, and replication hasn't completed, it fails. Fix will follow.