Bug 6870 - Samba 3.4 ADS support broken on ipv6
Summary: Samba 3.4 ADS support broken on ipv6
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.4.2
Hardware: x86 Windows NT
: P3 normal
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-04 11:50 UTC by Pim Zandbergen
Modified: 2010-11-04 04:57 UTC (History)
1 user (show)

See Also:


Attachments
level 10 debug with ipv6 enabled (22.82 KB, text/plain)
2009-11-05 10:06 UTC, Pim Zandbergen
no flags Details
level 10 debug with ipv6 disabled (12.35 KB, text/plain)
2009-11-05 10:08 UTC, Pim Zandbergen
no flags Details
/etc/krb5.conf (528 bytes, text/plain)
2009-11-06 04:10 UTC, Pim Zandbergen
no flags Details
Wireshark trace of net ads testjoin on Samba 3.4.1 (1.75 KB, application/cap)
2009-11-30 02:48 UTC, Kai Blin
no flags Details
Wireshark trace of net ads testjoin on Samba branch master (15.16 KB, application/cap)
2009-11-30 02:54 UTC, Kai Blin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pim Zandbergen 2009-11-04 11:50:21 UTC
On and ipv4/ipv6 network, where the DNS server resolves hostnames both
to ipv4 and ipv6 addresses, Samba does not fall back to ipv4 if an ipv6
LDAP connection to a Windows Active Directory server fails.

This results in Samba being unable to find the logon server in a domain.

More specifically, after upgrading Samba 3.2 to Samba 3.4, the command

  net ads testjoin -S dc

fails with error message

  2009/11/04 14:29:47,  0] utils/net_ads.c:279(ads_startup_int)
  ads_connect: No logon servers
  Join to domain is not valid: No logon servers

Here, "dc" resolves to both ipv4 and ipv6 addresses
of an ipv6 enabled Windows 2003 Server. Windows 2003 Server
does support ipv6, but its AD LDAP service does not.

Samba should retry the connection using ipv4 but does not.

The workaround is to remove the AAAA record for the
Windows 2003 Server's DNS hostname, making it unable
to find over ipv6.
Comment 1 Jeremy Allison 2009-11-04 14:41:05 UTC
We should already be doing this (check out the loop inside ads_find_dc() which enumerates through all IP addresses returned).

Can you append a debug level 10 log from this command please ?

Jeremy.
Comment 2 Pim Zandbergen 2009-11-05 10:06:10 UTC
Created attachment 4919 [details]
level 10 debug with ipv6 enabled

This is standard output and standard error of command
net -d 10 ads testjoin -S degas
where the hostnames of DC's "degas" and "dou"
resolve to ipv4 and ipv6 addresses
Comment 3 Pim Zandbergen 2009-11-05 10:08:02 UTC
Created attachment 4920 [details]
level 10 debug with ipv6 disabled

This is standard output and standard error of command
net -d 10 ads testjoin -S degas
where the hostnames of DC's "degas" and "dou"
resolve to ipv4 addresses only
Comment 4 Pim Zandbergen 2009-11-06 04:10:37 UTC
Created attachment 4922 [details]
/etc/krb5.conf

It may be related that my krb5.conf is configured to find the DC's dynamically.
See attachment
Comment 5 Pim Zandbergen 2009-11-26 04:30:32 UTC
I introduced a new Windows 2008 Domain Controller into the domain.
This server is advertised both with ipv4 and ipv6 addresses.

Samba does not show the problem with thi server, as
Windows 2008 supports ipv6 on all AD services.

So this problem seems limited to Windows 2003 AD servers.
Comment 6 Kai Blin 2009-11-30 01:03:14 UTC
Jeremy, I see the same behavior on my Win2k3 AD at home. I traced this in wireshark a while ago and iirc, it seems like our retry-on-ipv4 logic only works some of the time. I'll go get you a wireshark trace, and I'll add a trace of an IPv6-aware Windows client as well.
Sorry I forgot to report that before, I stumbled over this while hunting a different bug and worked around it and subsequently forgot about the IPv6 issue.

Pim, a faster workaround is to shortly disable IPv6 networking on the Win2k3 server's network settings, that way you don't need to fudge with your name server settings.
Comment 7 Kai Blin 2009-11-30 02:48:17 UTC
Created attachment 5021 [details]
Wireshark trace of net ads testjoin on Samba 3.4.1

This is the wireshark trace when trying to net ads testjoin from Samba 3.4
Comment 8 Kai Blin 2009-11-30 02:54:35 UTC
Created attachment 5022 [details]
Wireshark trace of net ads testjoin on Samba branch master

As it turns out, this is fixed in master.
Comment 9 Kai Blin 2009-12-08 08:06:12 UTC
Ok, just tested with today's git v3-5-test and it seems to be fixed there as well.
Comment 10 Pim Zandbergen 2010-01-22 10:33:27 UTC
Can I assume this is now fixed in 3.4.5 ?
Comment 11 Jeremy Allison 2010-01-25 19:17:10 UTC
Please test 3.4.5 and report. If not I'll look into what needs back-porting to fix this issue.

Jeremy.
Comment 12 Pim Zandbergen 2010-01-28 15:11:21 UTC
Fedora recently made 3.4.5-53.fc12 available as an rpm.
Unfortunately this version does not fix the issue.
Comment 13 Pim Zandbergen 2010-11-04 04:57:31 UTC
This issue has been fixed in Samba 3.5.