On and ipv4/ipv6 network, where the DNS server resolves hostnames both to ipv4 and ipv6 addresses, Samba does not fall back to ipv4 if an ipv6 LDAP connection to a Windows Active Directory server fails. This results in Samba being unable to find the logon server in a domain. More specifically, after upgrading Samba 3.2 to Samba 3.4, the command net ads testjoin -S dc fails with error message 2009/11/04 14:29:47, 0] utils/net_ads.c:279(ads_startup_int) ads_connect: No logon servers Join to domain is not valid: No logon servers Here, "dc" resolves to both ipv4 and ipv6 addresses of an ipv6 enabled Windows 2003 Server. Windows 2003 Server does support ipv6, but its AD LDAP service does not. Samba should retry the connection using ipv4 but does not. The workaround is to remove the AAAA record for the Windows 2003 Server's DNS hostname, making it unable to find over ipv6.
We should already be doing this (check out the loop inside ads_find_dc() which enumerates through all IP addresses returned). Can you append a debug level 10 log from this command please ? Jeremy.
Created attachment 4919 [details] level 10 debug with ipv6 enabled This is standard output and standard error of command net -d 10 ads testjoin -S degas where the hostnames of DC's "degas" and "dou" resolve to ipv4 and ipv6 addresses
Created attachment 4920 [details] level 10 debug with ipv6 disabled This is standard output and standard error of command net -d 10 ads testjoin -S degas where the hostnames of DC's "degas" and "dou" resolve to ipv4 addresses only
Created attachment 4922 [details] /etc/krb5.conf It may be related that my krb5.conf is configured to find the DC's dynamically. See attachment
I introduced a new Windows 2008 Domain Controller into the domain. This server is advertised both with ipv4 and ipv6 addresses. Samba does not show the problem with thi server, as Windows 2008 supports ipv6 on all AD services. So this problem seems limited to Windows 2003 AD servers.
Jeremy, I see the same behavior on my Win2k3 AD at home. I traced this in wireshark a while ago and iirc, it seems like our retry-on-ipv4 logic only works some of the time. I'll go get you a wireshark trace, and I'll add a trace of an IPv6-aware Windows client as well. Sorry I forgot to report that before, I stumbled over this while hunting a different bug and worked around it and subsequently forgot about the IPv6 issue. Pim, a faster workaround is to shortly disable IPv6 networking on the Win2k3 server's network settings, that way you don't need to fudge with your name server settings.
Created attachment 5021 [details] Wireshark trace of net ads testjoin on Samba 3.4.1 This is the wireshark trace when trying to net ads testjoin from Samba 3.4
Created attachment 5022 [details] Wireshark trace of net ads testjoin on Samba branch master As it turns out, this is fixed in master.
Ok, just tested with today's git v3-5-test and it seems to be fixed there as well.
Can I assume this is now fixed in 3.4.5 ?
Please test 3.4.5 and report. If not I'll look into what needs back-porting to fix this issue. Jeremy.
Fedora recently made 3.4.5-53.fc12 available as an rpm. Unfortunately this version does not fix the issue.
This issue has been fixed in Samba 3.5.