Bug 9959 - Windows client join fails if a second container CN=System exists somewhere
Windows client join fails if a second container CN=System exists somewhere
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes
4.3.7
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-18 18:37 UTC by Arvid Requate
Modified: 2016-09-13 16:19 UTC (History)
2 users (show)

See Also:


Attachments
log.samba.gz (158.34 KB, application/x-gzip)
2013-06-18 18:37 UTC, Arvid Requate
no flags Details
testCase.py (2.13 KB, text/plain)
2013-06-18 18:38 UTC, Arvid Requate
no flags Details
0001-s4-rpc_server-pick-CN-System-CriticalSystemObject.patch (2.79 KB, patch)
2013-06-18 18:41 UTC, Arvid Requate
no flags Details
Bug-9959-master.patch (14.31 KB, patch)
2016-08-27 13:51 UTC, Arvid Requate
no flags Details
Bug-9959-v4-4-stable.patch (14.31 KB, patch)
2016-08-27 13:52 UTC, Arvid Requate
no flags Details
Bug-9959-v4-3-stable.patch (8.33 KB, patch)
2016-08-27 13:52 UTC, Arvid Requate
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate 2013-06-18 18:37:44 UTC
Created attachment 8981 [details]
log.samba.gz

lsa_QueryInfoPolicy fails with NT_STATUS_NO_SUCH_DOMAIN if a second "CN=System" container exists.
Comment 1 Arvid Requate 2013-06-18 18:38:16 UTC
Created attachment 8982 [details]
testCase.py
Comment 2 Arvid Requate 2013-06-18 18:41:04 UTC
Created attachment 8983 [details]
0001-s4-rpc_server-pick-CN-System-CriticalSystemObject.patch

E.g. search '(&(objectClass=container)(cn=system)(isCriticalSystemObject=True))'
Comment 3 Henning Becker 2015-03-11 19:24:24 UTC
Confirmed.
It almost took me a day to figure this out.
Besides joining also login is affected on W2008/2012 machines.
Comment 4 Arvid Requate 2016-08-11 10:48:52 UTC
Please consider the supplied patch for merge.

We just had this again with samba 4.3.7, took a new colleague another day digging though network traces. For the record, these are the parts of log.samba characteristic for this situation:

=============================================================================
[2016/08/10 15:00:50.317533,  1, pid=25834, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_DsrEnumerateDomainTrusts: struct netr_DsrEnumerateDomainTrusts
          in: struct netr_DsrEnumerateDomainTrusts
              server_name              : *
                  server_name              : '\\somedc.domain.local'
              trust_flags              : 0x0000003f (63)
                     1: NETR_TRUST_FLAG_IN_FOREST
                     1: NETR_TRUST_FLAG_OUTBOUND 
                     1: NETR_TRUST_FLAG_TREEROOT 
                     1: NETR_TRUST_FLAG_PRIMARY  
                     1: NETR_TRUST_FLAG_NATIVE   
                     1: NETR_TRUST_FLAG_INBOUND  
                     0: NETR_TRUST_FLAG_MIT_KRB5 
                     0: NETR_TRUST_FLAG_AES
[...]
[2016/08/10 15:00:50.329686, 10, pid=25834, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_request: SEARCH
   dn: DC=domain,DC=local
   scope: sub
   expr: (&(objectClass=container)(cn=System))
   attr: <ALL>
   control: <NONE>
[...]
[2016/08/10 15:00:50.331385,  1, pid=25834, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_DsrEnumerateDomainTrusts: struct netr_DsrEnumerateDomainTrusts
          out: struct netr_DsrEnumerateDomainTrusts
              trusts                   : *
                  trusts: struct netr_DomainTrustList
                      count                    : 0x00000000 (0)
                      array                    : NULL
              result                   : WERR_GENERAL_FAILURE
=============================================================================
Comment 5 Stefan Metzmacher 2016-08-11 12:50:52 UTC
(In reply to Arvid Requate from comment #4)
Hi Arvid,

I'd like to use CN=System,$DEFAULT_DN, instead
of doing a search.

We're using ldb_dn_add_child_fmt(system_dn, "CN=System");
in a few places already. See dsdb_trust_search_tdo[s]().

Can you provide an updated patches?
One for each subdirectory? Also remember
we have two backupkey implementations now.
Comment 6 Arvid Requate 2016-08-27 13:51:15 UTC
Created attachment 12413 [details]
Bug-9959-master.patch

Patch set for master
Comment 7 Arvid Requate 2016-08-27 13:52:15 UTC
Created attachment 12414 [details]
Bug-9959-v4-4-stable.patch

Patch set for v4.4-stable
Comment 8 Arvid Requate 2016-08-27 13:52:57 UTC
Created attachment 12415 [details]
Bug-9959-v4-3-stable.patch

Patch set for v4.3-stable