Bug 9959 - Windows client join fails if a second container CN=System exists somewhere
Summary: Windows client join fails if a second container CN=System exists somewhere
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.13.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-18 18:37 UTC by Arvid Requate
Modified: 2023-09-07 09:03 UTC (History)
4 users (show)

See Also:

Attachments
log.samba.gz (158.34 KB, application/x-gzip)
2013-06-18 18:37 UTC, Arvid Requate 		no flags Details
testCase.py (2.13 KB, text/plain)
2013-06-18 18:38 UTC, Arvid Requate 		no flags Details
0001-s4-rpc_server-pick-CN-System-CriticalSystemObject.patch (2.79 KB, patch)
2013-06-18 18:41 UTC, Arvid Requate 		no flags Details
Bug-9959-master.patch (14.31 KB, patch)
2016-08-27 13:51 UTC, Arvid Requate 		no flags Details
Bug-9959-v4-4-stable.patch (14.31 KB, patch)
2016-08-27 13:52 UTC, Arvid Requate 		no flags Details
Bug-9959-v4-3-stable.patch (8.33 KB, patch)
2016-08-27 13:52 UTC, Arvid Requate 		no flags Details
Bug-9959-v4-6-rc2.patch (14.33 KB, patch)
2017-01-31 12:40 UTC, Arvid Requate 		no flags Details
Patch in master backported to Samba 4.19 (25.06 KB, patch)
2023-07-31 09:00 UTC, Andrew Bartlett 		metze: review+
Details
Patch in master backported to Samba 4.18 (25.06 KB, patch)
2023-07-31 09:01 UTC, Andrew Bartlett 		metze: review+
Details
Patch in master backported to Samba 4.17 (25.06 KB, patch)
2023-07-31 09:03 UTC, Andrew Bartlett 		metze: review+
Details
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate 2013-06-18 18:37:44 UTC 
Created attachment 8981 [details]
log.samba.gz

lsa_QueryInfoPolicy fails with NT_STATUS_NO_SUCH_DOMAIN if a second "CN=System" container exists.
Comment 1 Arvid Requate 2013-06-18 18:38:16 UTC 
Created attachment 8982 [details]
testCase.py
Comment 2 Arvid Requate 2013-06-18 18:41:04 UTC 
Created attachment 8983 [details]
0001-s4-rpc_server-pick-CN-System-CriticalSystemObject.patch

E.g. search '(&(objectClass=container)(cn=system)(isCriticalSystemObject=True))'
Comment 3 Henning Becker (dead mail address) 2015-03-11 19:24:24 UTC 
Confirmed.
It almost took me a day to figure this out.
Besides joining also login is affected on W2008/2012 machines.
Comment 4 Arvid Requate 2016-08-11 10:48:52 UTC 
Please consider the supplied patch for merge.

We just had this again with samba 4.3.7, took a new colleague another day digging though network traces. For the record, these are the parts of log.samba characteristic for this situation:

=============================================================================
[2016/08/10 15:00:50.317533,  1, pid=25834, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_DsrEnumerateDomainTrusts: struct netr_DsrEnumerateDomainTrusts
          in: struct netr_DsrEnumerateDomainTrusts
              server_name              : *
                  server_name              : '\\somedc.domain.local'
              trust_flags              : 0x0000003f (63)
                     1: NETR_TRUST_FLAG_IN_FOREST
                     1: NETR_TRUST_FLAG_OUTBOUND 
                     1: NETR_TRUST_FLAG_TREEROOT 
                     1: NETR_TRUST_FLAG_PRIMARY  
                     1: NETR_TRUST_FLAG_NATIVE   
                     1: NETR_TRUST_FLAG_INBOUND  
                     0: NETR_TRUST_FLAG_MIT_KRB5 
                     0: NETR_TRUST_FLAG_AES
[...]
[2016/08/10 15:00:50.329686, 10, pid=25834, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_request: SEARCH
   dn: DC=domain,DC=local
   scope: sub
   expr: (&(objectClass=container)(cn=System))
   attr: <ALL>
   control: <NONE>
[...]
[2016/08/10 15:00:50.331385,  1, pid=25834, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_DsrEnumerateDomainTrusts: struct netr_DsrEnumerateDomainTrusts
          out: struct netr_DsrEnumerateDomainTrusts
              trusts                   : *
                  trusts: struct netr_DomainTrustList
                      count                    : 0x00000000 (0)
                      array                    : NULL
              result                   : WERR_GENERAL_FAILURE
=============================================================================
Comment 5 Stefan Metzmacher 2016-08-11 12:50:52 UTC 
(In reply to Arvid Requate from comment #4)
Hi Arvid,

I'd like to use CN=System,$DEFAULT_DN, instead
of doing a search.

We're using ldb_dn_add_child_fmt(system_dn, "CN=System");
in a few places already. See dsdb_trust_search_tdo[s]().

Can you provide an updated patches?
One for each subdirectory? Also remember
we have two backupkey implementations now.
Comment 6 Arvid Requate 2016-08-27 13:51:15 UTC 
Created attachment 12413 [details]
Bug-9959-master.patch

Patch set for master
Comment 7 Arvid Requate 2016-08-27 13:52:15 UTC 
Created attachment 12414 [details]
Bug-9959-v4-4-stable.patch

Patch set for v4.4-stable
Comment 8 Arvid Requate 2016-08-27 13:52:57 UTC 
Created attachment 12415 [details]
Bug-9959-v4-3-stable.patch

Patch set for v4.3-stable
Comment 9 Arvid Requate 2017-01-31 12:40:53 UTC 
Created attachment 12884 [details]
Bug-9959-v4-6-rc2.patch

Updated patch.
Comment 10 Björn Jacke 2021-02-05 20:27:11 UTC 
Ideally I think this fix should actually not be needed because a second container called system should actually be forbidden be be created, see bug 14225.
Comment 11 Arvid Requate 2021-02-05 20:52:01 UTC 
Well, I don't know if things improved since reporting this bug, but at that time I experienced this issue.

With 4.13.4 the test case (fixed for py3) doesn't show the issue any longer, apparently, two cn=system containers don't cause the issue downstream any longer:

root@machine:~# python3 testCase.py 
===========================
Running lsa_QueryInfoPolicy
Domain NetBios Name: DOM
Domain Sid: S-1-5-21-2196904195-2995300023-2286668795
===========================
Creating container cn=system,cn=users,DC=dom,DC=tld
===========================
Running lsa_QueryInfoPolicy again
Domain NetBios Name: DOM
Domain Sid: S-1-5-21-2196904195-2995300023-2286668795
===========================
Removing container cn=system,cn=users,DC=dom,DC=tld


Yet, this shows that nothing prevents me from creating a container named system, nor a user for that matter:

root@machine:~# samba-tool user create System Testpassword.1
User 'System' created successfully
root@machine:~# ldbsearch -H /var/lib/samba/private/sam.ldb \
                          --controls=domain_scope:1 cn=system 1.1
# record 1
dn: CN=System,CN=Users,DC=dom,DC=tld

# record 2
dn: CN=System,DC=dom,DC=tld

# returned 2 records
# 2 entries
# 0 referrals

Which may also conflict with the list of reserved words documented in https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou
Comment 12 Andrew Bartlett 2023-07-27 05:22:16 UTC 
I have included and built on these patches at https://gitlab.com/samba-team/samba/-/merge_requests/3198

I am so sorry this has taken so long to be addressed.
Comment 13 Samba QA Contact 2023-07-31 07:21:05 UTC 
This bug was referenced in samba master:

b6e80733c3a589f9d784eec86fc713f1ec9c1049
2d461844a201fbca55ebc9a46a15e1d16048055b
25b0e1102e1a502152d2695aeddf7c65555b16fb
97b682e0eb0450513dcecb74be672e18e84fe7a2
3669caa97f76d3e893ac6a1ab88341057929ee6a
4e18066fa243da1c505f782ba87187c3bb1078ee
a900f6aa5d909d912ee3ca529baa4047c9c4da87
13eed1e0e7d0bdef6b5cdb6b858f124b812adbea
9b4f3f3cb4ed17bb233d3b5ccd191be63f01f3f4
4250d07e4dcd43bf7450b1ae603ff46fdc892d02
Comment 14 Andrew Bartlett 2023-07-31 09:00:35 UTC 
Created attachment 18014 [details]
Patch in master backported to Samba 4.19
Comment 15 Andrew Bartlett 2023-07-31 09:01:31 UTC 
Created attachment 18015 [details]
Patch in master backported to Samba 4.18
Comment 16 Andrew Bartlett 2023-07-31 09:03:14 UTC 
Created attachment 18016 [details]
Patch in master backported to Samba 4.17
Comment 17 Andrew Bartlett 2023-07-31 19:51:12 UTC 
Assigning to Jule for next supported releases.
Comment 18 Jule Anger 2023-08-01 06:53:54 UTC 
Pushed to autobuild-v4-{19,18,17}-test.
Comment 19 Samba QA Contact 2023-08-01 10:58:04 UTC 
This bug was referenced in samba v4-18-test:

3b3b92f56bf209ae3997a89481a6b30c8fbac853
364730e9dc6e6baad082ce63ba227ea310865662
c14fbf24d9600755b3a95cacedc1726e879a036c
820752e377719efe7e0ab14bcc74c16ee79cf918
8e45b202caed2635a17b79d9df85d8e66169ed09
3270419407da4253c299f4fb34e1d588b0d8c7c1
c35953103f31b6b6a9534192cf29fb67fe5fa001
ae64a438b708c5b211cf96949b89d91ab2297ed6
5f908aef367494fb6b8939f9bd4f7dbc6d3f3690
da03582f30a629bf46dcb2fc5a9e7ecccb9e7a1e
Comment 20 Samba QA Contact 2023-08-01 10:58:12 UTC 
This bug was referenced in samba v4-17-test:

517339b17553eeaa0b95b44237899d381896de68
7112efed3d40b9220bf0d32e93d4de099565743e
bac861ed27fb4dc49a6defa3e26f0ea29b6dda4f
d3c4dd68a0db924879d1f5c53fff7e511530fca2
30c14e87e2b66dd2ec4f09097394e5179c50411f
cabc229210d6af37a3250c396c7b112605898e43
0d6bc07a57252ea380e13df84bcb50e8ae23b3c9
558834c3e1323563a939386e52614ada0b3ec969
ecbba6aec277ba72e3ad0990c9ac6e0a291b0162
dc74e3e94704ce4a28a0adb8102f71abb723fae1
Comment 21 Samba QA Contact 2023-08-01 12:13:04 UTC 
This bug was referenced in samba v4-19-test:

b4f10979d860606c9b412e35d5a135835526dfac
e5ea3562b394702f01777889b17aa8cd4b0619cb
37094ba8e53b157dfc5571c88eaf25cb8c619bce
3493671ce743ec42d2cb2cc74402e5feb13b32f3
66605c7c765fb8978c5d114d2fea14d0a3bd5826
9cb4754d0c4d8a0362e26ab3df67c76502000604
2f1502a70d831d2e2d59f136918276c508bcb96c
4f1156f138d9a525fea5b720995aa9adca41316b
4cd7ead4e6b5a05392eeeb25bd7bccadf8d2fc39
bffe1f5720e6eb36f51b3ca58588a283db1f9637
Comment 22 Jule Anger 2023-08-01 12:18:15 UTC 
Closing out bug report.

Thanks!
Comment 23 Samba QA Contact 2023-08-08 07:20:19 UTC 
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc2):

b4f10979d860606c9b412e35d5a135835526dfac
e5ea3562b394702f01777889b17aa8cd4b0619cb
37094ba8e53b157dfc5571c88eaf25cb8c619bce
3493671ce743ec42d2cb2cc74402e5feb13b32f3
66605c7c765fb8978c5d114d2fea14d0a3bd5826
9cb4754d0c4d8a0362e26ab3df67c76502000604
2f1502a70d831d2e2d59f136918276c508bcb96c
4f1156f138d9a525fea5b720995aa9adca41316b
4cd7ead4e6b5a05392eeeb25bd7bccadf8d2fc39
bffe1f5720e6eb36f51b3ca58588a283db1f9637
Comment 24 Samba QA Contact 2023-08-16 16:59:01 UTC 
This bug was referenced in samba v4-18-stable (Release samba-4.18.6):

3b3b92f56bf209ae3997a89481a6b30c8fbac853
364730e9dc6e6baad082ce63ba227ea310865662
c14fbf24d9600755b3a95cacedc1726e879a036c
820752e377719efe7e0ab14bcc74c16ee79cf918
8e45b202caed2635a17b79d9df85d8e66169ed09
3270419407da4253c299f4fb34e1d588b0d8c7c1
c35953103f31b6b6a9534192cf29fb67fe5fa001
ae64a438b708c5b211cf96949b89d91ab2297ed6
5f908aef367494fb6b8939f9bd4f7dbc6d3f3690
da03582f30a629bf46dcb2fc5a9e7ecccb9e7a1e
Comment 25 Samba QA Contact 2023-09-07 09:03:19 UTC 
This bug was referenced in samba v4-17-stable (Release samba-4.17.11):

517339b17553eeaa0b95b44237899d381896de68
7112efed3d40b9220bf0d32e93d4de099565743e
bac861ed27fb4dc49a6defa3e26f0ea29b6dda4f
d3c4dd68a0db924879d1f5c53fff7e511530fca2
30c14e87e2b66dd2ec4f09097394e5179c50411f
cabc229210d6af37a3250c396c7b112605898e43
0d6bc07a57252ea380e13df84bcb50e8ae23b3c9
558834c3e1323563a939386e52614ada0b3ec969
ecbba6aec277ba72e3ad0990c9ac6e0a291b0162
dc74e3e94704ce4a28a0adb8102f71abb723fae1