Bug 4923 - Red X on domaincontroller symbol
Summary: Red X on domaincontroller symbol
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All All
: P3 minor (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Andrew Bartlett
Depends on:
Reported: 2007-08-27 10:27 UTC by Matthias Dieter Wallnöfer
Modified: 2008-10-07 07:42 UTC (History)
0 users

See Also:

A capture (26.30 KB, application/octet-stream)
2008-06-11 03:04 UTC, Matthias Dieter Wallnöfer
no flags Details
A simple patch adding the bits (1.75 KB, patch)
2008-06-19 04:10 UTC, Matthias Dieter Wallnöfer
no flags Details
An enhanced version of the patch (2.11 KB, patch)
2008-08-08 13:04 UTC, Matthias Dieter Wallnöfer
no flags Details
The enhanced torture testsuite (2.84 KB, patch)
2008-08-08 14:44 UTC, Matthias Dieter Wallnöfer
no flags Details
The final version of the CLDAP Netlogon patch (2.14 KB, patch)
2008-08-08 15:25 UTC, Matthias Dieter Wallnöfer
no flags Details
The enhanced torture testsuite (5.10 KB, patch)
2008-08-14 14:12 UTC, Matthias Dieter Wallnöfer
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Dieter Wallnöfer 2007-08-27 10:27:10 UTC
It is reproducible in the following way:
- Launch the computer administration MMC
- Change the workstation to the SAMBA machine (Right click - "Connect to other machine..."
- Then you see the red X

What do you think could that be?
Comment 1 Matthias Dieter Wallnöfer 2007-09-25 02:58:00 UTC
Andrew, have you any clues on that?
Comment 2 Matthias Dieter Wallnöfer 2007-11-08 11:16:06 UTC
Did you reproduce now this strange symbol?
Comment 3 Andrew Bartlett 2008-01-06 23:15:42 UTC
This (opening the computer management) works for me.   Some elements of the Computer Management tool don't work, but this is not particularly unexpected.  

Please file detailed bugs on each component.  Particularly useful would be a rationale on why to focus on a particular tool, to help us prioritize. 
Comment 4 Matthias Dieter Wallnöfer 2008-01-07 01:28:42 UTC
Maybe another easier way to reproduce the problem:
(please try it from a Windows domain member logged in with the domain administrator of a SAMBA 4 domain)

- Right click on "My Computers" icon and select "Management"
- Then you right click on the computer icon in top of the tree "Computer Management" and choose something like "Change workstation to administer"

Be sure that in the top of the dialog is selected "Global Catalog".
You should see the domain controller and the members, but the domain controller has a little red "X" in the lower-right corner.
Comment 5 Andrew Bartlett 2008-01-07 01:37:55 UTC
I can 'connect to another computer' fine.  It asks for a computer name, but the version I use doesn't give an opportunity to browse (only to possibly search using the normal search dialogs).

I'm running computer manager 5.1.2600.0 - perhaps different versions have different behaviors. 
Comment 6 Matthias Dieter Wallnöfer 2008-01-07 01:46:30 UTC
Interesting! I'll have to try to find another way to demonstrate you this problem. Maybe this has been changed after Windows 2000. You use Windows XP, I'm right?
Comment 7 Andrew Bartlett 2008-01-07 01:49:19 UTC
Yes, I've been testing on WinXP SP2 with the admin tools installed from the Win2k3 DVD.
Comment 8 Matthias Dieter Wallnöfer 2008-01-13 12:49:27 UTC
Yes, I saw now that the dialog in Windows XP changed.
Comment 9 Matthias Dieter Wallnöfer 2008-06-11 03:04:20 UTC
Created attachment 3342 [details]
A capture

I generated now a log about this. When I did this, I noticed a KERBEROS_RESPONSE_TOO_BIG error. Maybe that could be related to this issue?
Comment 10 Andrew Bartlett 2008-06-12 00:38:55 UTC
KERBEROS_RESPONSE_TOO_BIG is standard and perfectly normal
Comment 11 Matthias Dieter Wallnöfer 2008-06-12 05:10:27 UTC
I've studied now the netlogon attribute from the CLDAP request and have compared them with the table presented in the WSPP docs (http://msdn.microsoft.com/en-us/library/cc201036.aspx). The first two bytes seem to be correct, but that the third and fourth one is completely clear with SAMBA 4. But in the docs there are listed some flags.
Is this behaviour compatible with Windows 2k oder 2k3 Server and therefore the other bits were introduced later?
Comment 12 Matthias Dieter Wallnöfer 2008-06-19 04:10:55 UTC
Created attachment 3350 [details]
A simple patch adding the bits
Comment 13 Matthias Dieter Wallnöfer 2008-06-19 05:52:01 UTC
Unfortunately, the patch doesn't seem to change the behaviour of the Windows 2000 computer management console. But I'd apply it anyway to match as much as possible the Windows Server (maybe a blackbox test with it would be good, but I don't have one) behaviour.
Comment 14 Andrew Bartlett 2008-06-23 05:10:24 UTC
I don't like those bits being unconditional, and untested.

Can you please expand the CLDAP test to check this and the other flags for sanity, and don't assume we are always a forest root - it is easy enough to check if the root dn and domain DN are equal.  See ldb_get_root_basedn and ldb_get_default_basedn

Comment 15 Matthias Dieter Wallnöfer 2008-08-08 13:04:28 UTC
Created attachment 3460 [details]
An enhanced version of the patch

This version of the patch adds the bits, the right check for the forest root (following your last comment) and doesn't set the bit NBT_SERVER_DS_DNS_DOMAIN because I think we don't provide a "defaultNamingContext" attribute in the rootDSE object yet.
Comment 16 Matthias Dieter Wallnöfer 2008-08-08 14:44:15 UTC
Created attachment 3461 [details]
The enhanced torture testsuite
Comment 17 Matthias Dieter Wallnöfer 2008-08-08 15:25:18 UTC
Created attachment 3462 [details]
The final version of the CLDAP Netlogon patch

Naturally we provide also a "defaultNamingContext" (looking at "provision_rootdse_add.ldif"). Considering this the domain name is equal to the default naming context and we can set the flag.
Comment 18 Andrew Bartlett 2008-08-13 20:43:10 UTC
Sorry for the late reply.

The patch looks good, but the testsuite does not:

Just printing the flags won't help ensure this is correct - the testsuite needs to check for expected values.  Do a CLDAP search for the defaultNamingContext and rootDomainNamingContext and compare them in the torture code.  Then you can examine if the server set the flags correctly.
Comment 19 Matthias Dieter Wallnöfer 2008-08-14 14:12:54 UTC
Created attachment 3478 [details]
The enhanced torture testsuite

Improved testsuite following your latest comment.
Comment 20 Andrew Bartlett 2008-08-19 21:54:10 UTC
Nice work, applied!

Now to ponder the original bug :-)
Comment 21 Matthias Dieter Wallnöfer 2008-08-20 10:58:12 UTC
I don't see the checkin (SAMBA 4 main branch)!
Comment 22 Matthias Dieter Wallnöfer 2008-10-07 07:42:19 UTC
Also this has been fixed!