During joining a domain with multiple DCs we need to deal with situation that machine account is created using LDAP at one of the DCs and there is a window till the account is replicated to the other DCs. The fix in https://bugzilla.samba.org/show_bug.cgi?id=15905 makes sure that keytab code calls ads_init() with a particular DC (the one which was used for creating the machine account). However there are two more calls during libnet_Join() that might talk to DC and we must make sure that it is the right DC: libnet_join_post_processing_ads_modify() (etype update) libnet_join_post_verify() (domain membership verification) The fix will follow.
Fix in progress: https://gitlab.com/samba-team/samba/-/merge_requests/4435
This bug was referenced in samba master: a6938e9fdf59094da359637eb1f7e847a531ba2e 689f9d49c3715240a28d9d898c6b83be4ee18971 3459eeb20ea54f4f412ec3d1fe3d9e98b94e1ca4
Created attachment 18952 [details] 4.24 patch
Comment on attachment 18952 [details] 4.24 patch lgtm
Bjöen, please include that patch.
This bug was referenced in samba v4-24-test: 7fc82a5945729c53769417d7f67dc4d5a941bf00 932b05ae0e2b36189435ef80ecaa0d21949003fe 69d016d34b6aff281ff0482713ba73bf5adb7073
This bug was referenced in samba v4-24-stable (Release samba-4.24.2): 7fc82a5945729c53769417d7f67dc4d5a941bf00 932b05ae0e2b36189435ef80ecaa0d21949003fe 69d016d34b6aff281ff0482713ba73bf5adb7073