Bug 9959 – Windows client join fails if a second container CN=System exists somewhere

Bug 9959 - Windows client join fails if a second container CN=System exists somewhere


Summary:	Windows client join fails if a second container CN=System exists somewhere

Status:	ASSIGNED

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DCE-RPCs and pipes
Version:	4.3.7
Hardware:	All All

Importance:	P5 normal
Target Milestone:	---
Assigned To:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-06-18 18:37 UTC by Arvid Requate
Modified:	2017-01-31 12:40 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
log.samba.gz (158.34 KB, application/x-gzip) 2013-06-18 18:37 UTC, Arvid Requate	no flags	Details
testCase.py (2.13 KB, text/plain) 2013-06-18 18:38 UTC, Arvid Requate	no flags	Details
0001-s4-rpc_server-pick-CN-System-CriticalSystemObject.patch (2.79 KB, patch) 2013-06-18 18:41 UTC, Arvid Requate	no flags	Details
Bug-9959-master.patch (14.31 KB, patch) 2016-08-27 13:51 UTC, Arvid Requate	no flags	Details
Bug-9959-v4-4-stable.patch (14.31 KB, patch) 2016-08-27 13:52 UTC, Arvid Requate	no flags	Details
Bug-9959-v4-3-stable.patch (8.33 KB, patch) 2016-08-27 13:52 UTC, Arvid Requate	no flags	Details
Bug-9959-v4-6-rc2.patch (14.33 KB, patch) 2017-01-31 12:40 UTC, Arvid Requate	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate 2013-06-18 18:37:44 UTC

Created attachment 8981 [details]
log.samba.gz

lsa_QueryInfoPolicy fails with NT_STATUS_NO_SUCH_DOMAIN if a second "CN=System" container exists.

Comment 1 Arvid Requate 2013-06-18 18:38:16 UTC

Created attachment 8982 [details]
testCase.py

Comment 2 Arvid Requate 2013-06-18 18:41:04 UTC

Created attachment 8983 [details]
0001-s4-rpc_server-pick-CN-System-CriticalSystemObject.patch

E.g. search '(&(objectClass=container)(cn=system)(isCriticalSystemObject=True))'

Comment 3 Henning Becker 2015-03-11 19:24:24 UTC

Confirmed.
It almost took me a day to figure this out.
Besides joining also login is affected on W2008/2012 machines.

Comment 4 Arvid Requate 2016-08-11 10:48:52 UTC

Please consider the supplied patch for merge.

We just had this again with samba 4.3.7, took a new colleague another day digging though network traces. For the record, these are the parts of log.samba characteristic for this situation:

=============================================================================
[2016/08/10 15:00:50.317533,  1, pid=25834, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_DsrEnumerateDomainTrusts: struct netr_DsrEnumerateDomainTrusts
          in: struct netr_DsrEnumerateDomainTrusts
              server_name              : *
                  server_name              : '\\somedc.domain.local'
              trust_flags              : 0x0000003f (63)
                     1: NETR_TRUST_FLAG_IN_FOREST
                     1: NETR_TRUST_FLAG_OUTBOUND 
                     1: NETR_TRUST_FLAG_TREEROOT 
                     1: NETR_TRUST_FLAG_PRIMARY  
                     1: NETR_TRUST_FLAG_NATIVE   
                     1: NETR_TRUST_FLAG_INBOUND  
                     0: NETR_TRUST_FLAG_MIT_KRB5 
                     0: NETR_TRUST_FLAG_AES
[...]
[2016/08/10 15:00:50.329686, 10, pid=25834, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_request: SEARCH
   dn: DC=domain,DC=local
   scope: sub
   expr: (&(objectClass=container)(cn=System))
   attr: <ALL>
   control: <NONE>
[...]
[2016/08/10 15:00:50.331385,  1, pid=25834, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_DsrEnumerateDomainTrusts: struct netr_DsrEnumerateDomainTrusts
          out: struct netr_DsrEnumerateDomainTrusts
              trusts                   : *
                  trusts: struct netr_DomainTrustList
                      count                    : 0x00000000 (0)
                      array                    : NULL
              result                   : WERR_GENERAL_FAILURE
=============================================================================

Comment 5 Stefan Metzmacher 2016-08-11 12:50:52 UTC

(In reply to Arvid Requate from comment #4)
Hi Arvid,

I'd like to use CN=System,$DEFAULT_DN, instead
of doing a search.

We're using ldb_dn_add_child_fmt(system_dn, "CN=System");
in a few places already. See dsdb_trust_search_tdo[s]().

Can you provide an updated patches?
One for each subdirectory? Also remember
we have two backupkey implementations now.

Comment 6 Arvid Requate 2016-08-27 13:51:15 UTC

Created attachment 12413 [details]
Bug-9959-master.patch

Patch set for master

Comment 7 Arvid Requate 2016-08-27 13:52:15 UTC

Created attachment 12414 [details]
Bug-9959-v4-4-stable.patch

Patch set for v4.4-stable

Comment 8 Arvid Requate 2016-08-27 13:52:57 UTC

Created attachment 12415 [details]
Bug-9959-v4-3-stable.patch

Patch set for v4.3-stable

Comment 9 Arvid Requate 2017-01-31 12:40:53 UTC

Created attachment 12884 [details]
Bug-9959-v4-6-rc2.patch

Updated patch.