Bug 9959 - Windows client join fails if a second container CN=System exists somewhere
Summary: Windows client join fails if a second container CN=System exists somewhere
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.13.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-18 18:37 UTC by Arvid Requate
Modified: 2023-09-07 09:03 UTC (History)
4 users (show)

See Also:


Attachments
log.samba.gz (158.34 KB, application/x-gzip)
2013-06-18 18:37 UTC, Arvid Requate
no flags Details
testCase.py (2.13 KB, text/plain)
2013-06-18 18:38 UTC, Arvid Requate
no flags Details
0001-s4-rpc_server-pick-CN-System-CriticalSystemObject.patch (2.79 KB, patch)
2013-06-18 18:41 UTC, Arvid Requate
no flags Details
Bug-9959-master.patch (14.31 KB, patch)
2016-08-27 13:51 UTC, Arvid Requate
no flags Details
Bug-9959-v4-4-stable.patch (14.31 KB, patch)
2016-08-27 13:52 UTC, Arvid Requate
no flags Details
Bug-9959-v4-3-stable.patch (8.33 KB, patch)
2016-08-27 13:52 UTC, Arvid Requate
no flags Details
Bug-9959-v4-6-rc2.patch (14.33 KB, patch)
2017-01-31 12:40 UTC, Arvid Requate
no flags Details
Patch in master backported to Samba 4.19 (25.06 KB, patch)
2023-07-31 09:00 UTC, Andrew Bartlett
metze: review+
Details
Patch in master backported to Samba 4.18 (25.06 KB, patch)
2023-07-31 09:01 UTC, Andrew Bartlett
metze: review+
Details
Patch in master backported to Samba 4.17 (25.06 KB, patch)
2023-07-31 09:03 UTC, Andrew Bartlett
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate 2013-06-18 18:37:44 UTC
Created attachment 8981 [details]
log.samba.gz

lsa_QueryInfoPolicy fails with NT_STATUS_NO_SUCH_DOMAIN if a second "CN=System" container exists.
Comment 1 Arvid Requate 2013-06-18 18:38:16 UTC
Created attachment 8982 [details]
testCase.py
Comment 2 Arvid Requate 2013-06-18 18:41:04 UTC
Created attachment 8983 [details]
0001-s4-rpc_server-pick-CN-System-CriticalSystemObject.patch

E.g. search '(&(objectClass=container)(cn=system)(isCriticalSystemObject=True))'
Comment 3 Henning Becker (dead mail address) 2015-03-11 19:24:24 UTC
Confirmed.
It almost took me a day to figure this out.
Besides joining also login is affected on W2008/2012 machines.
Comment 4 Arvid Requate 2016-08-11 10:48:52 UTC
Please consider the supplied patch for merge.

We just had this again with samba 4.3.7, took a new colleague another day digging though network traces. For the record, these are the parts of log.samba characteristic for this situation:

=============================================================================
[2016/08/10 15:00:50.317533,  1, pid=25834, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_DsrEnumerateDomainTrusts: struct netr_DsrEnumerateDomainTrusts
          in: struct netr_DsrEnumerateDomainTrusts
              server_name              : *
                  server_name              : '\\somedc.domain.local'
              trust_flags              : 0x0000003f (63)
                     1: NETR_TRUST_FLAG_IN_FOREST
                     1: NETR_TRUST_FLAG_OUTBOUND 
                     1: NETR_TRUST_FLAG_TREEROOT 
                     1: NETR_TRUST_FLAG_PRIMARY  
                     1: NETR_TRUST_FLAG_NATIVE   
                     1: NETR_TRUST_FLAG_INBOUND  
                     0: NETR_TRUST_FLAG_MIT_KRB5 
                     0: NETR_TRUST_FLAG_AES
[...]
[2016/08/10 15:00:50.329686, 10, pid=25834, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:72(ldb_wrap_debug)
  ldb: ldb_trace_request: SEARCH
   dn: DC=domain,DC=local
   scope: sub
   expr: (&(objectClass=container)(cn=System))
   attr: <ALL>
   control: <NONE>
[...]
[2016/08/10 15:00:50.331385,  1, pid=25834, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       netr_DsrEnumerateDomainTrusts: struct netr_DsrEnumerateDomainTrusts
          out: struct netr_DsrEnumerateDomainTrusts
              trusts                   : *
                  trusts: struct netr_DomainTrustList
                      count                    : 0x00000000 (0)
                      array                    : NULL
              result                   : WERR_GENERAL_FAILURE
=============================================================================
Comment 5 Stefan Metzmacher 2016-08-11 12:50:52 UTC
(In reply to Arvid Requate from comment #4)
Hi Arvid,

I'd like to use CN=System,$DEFAULT_DN, instead
of doing a search.

We're using ldb_dn_add_child_fmt(system_dn, "CN=System");
in a few places already. See dsdb_trust_search_tdo[s]().

Can you provide an updated patches?
One for each subdirectory? Also remember
we have two backupkey implementations now.
Comment 6 Arvid Requate 2016-08-27 13:51:15 UTC
Created attachment 12413 [details]
Bug-9959-master.patch

Patch set for master
Comment 7 Arvid Requate 2016-08-27 13:52:15 UTC
Created attachment 12414 [details]
Bug-9959-v4-4-stable.patch

Patch set for v4.4-stable
Comment 8 Arvid Requate 2016-08-27 13:52:57 UTC
Created attachment 12415 [details]
Bug-9959-v4-3-stable.patch

Patch set for v4.3-stable
Comment 9 Arvid Requate 2017-01-31 12:40:53 UTC
Created attachment 12884 [details]
Bug-9959-v4-6-rc2.patch

Updated patch.
Comment 10 Björn Jacke 2021-02-05 20:27:11 UTC
Ideally I think this fix should actually not be needed because a second container called system should actually be forbidden be be created, see bug 14225.
Comment 11 Arvid Requate 2021-02-05 20:52:01 UTC
Well, I don't know if things improved since reporting this bug, but at that time I experienced this issue.

With 4.13.4 the test case (fixed for py3) doesn't show the issue any longer, apparently, two cn=system containers don't cause the issue downstream any longer:

root@machine:~# python3 testCase.py 
===========================
Running lsa_QueryInfoPolicy
Domain NetBios Name: DOM
Domain Sid: S-1-5-21-2196904195-2995300023-2286668795
===========================
Creating container cn=system,cn=users,DC=dom,DC=tld
===========================
Running lsa_QueryInfoPolicy again
Domain NetBios Name: DOM
Domain Sid: S-1-5-21-2196904195-2995300023-2286668795
===========================
Removing container cn=system,cn=users,DC=dom,DC=tld


Yet, this shows that nothing prevents me from creating a container named system, nor a user for that matter:

root@machine:~# samba-tool user create System Testpassword.1
User 'System' created successfully
root@machine:~# ldbsearch -H /var/lib/samba/private/sam.ldb \
                          --controls=domain_scope:1 cn=system 1.1
# record 1
dn: CN=System,CN=Users,DC=dom,DC=tld

# record 2
dn: CN=System,DC=dom,DC=tld

# returned 2 records
# 2 entries
# 0 referrals

Which may also conflict with the list of reserved words documented in https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou
Comment 12 Andrew Bartlett 2023-07-27 05:22:16 UTC
I have included and built on these patches at https://gitlab.com/samba-team/samba/-/merge_requests/3198

I am so sorry this has taken so long to be addressed.
Comment 13 Samba QA Contact 2023-07-31 07:21:05 UTC
This bug was referenced in samba master:

b6e80733c3a589f9d784eec86fc713f1ec9c1049
2d461844a201fbca55ebc9a46a15e1d16048055b
25b0e1102e1a502152d2695aeddf7c65555b16fb
97b682e0eb0450513dcecb74be672e18e84fe7a2
3669caa97f76d3e893ac6a1ab88341057929ee6a
4e18066fa243da1c505f782ba87187c3bb1078ee
a900f6aa5d909d912ee3ca529baa4047c9c4da87
13eed1e0e7d0bdef6b5cdb6b858f124b812adbea
9b4f3f3cb4ed17bb233d3b5ccd191be63f01f3f4
4250d07e4dcd43bf7450b1ae603ff46fdc892d02
Comment 14 Andrew Bartlett 2023-07-31 09:00:35 UTC
Created attachment 18014 [details]
Patch in master backported to Samba 4.19
Comment 15 Andrew Bartlett 2023-07-31 09:01:31 UTC
Created attachment 18015 [details]
Patch in master backported to Samba 4.18
Comment 16 Andrew Bartlett 2023-07-31 09:03:14 UTC
Created attachment 18016 [details]
Patch in master backported to Samba 4.17
Comment 17 Andrew Bartlett 2023-07-31 19:51:12 UTC
Assigning to Jule for next supported releases.
Comment 18 Jule Anger 2023-08-01 06:53:54 UTC
Pushed to autobuild-v4-{19,18,17}-test.
Comment 19 Samba QA Contact 2023-08-01 10:58:04 UTC
This bug was referenced in samba v4-18-test:

3b3b92f56bf209ae3997a89481a6b30c8fbac853
364730e9dc6e6baad082ce63ba227ea310865662
c14fbf24d9600755b3a95cacedc1726e879a036c
820752e377719efe7e0ab14bcc74c16ee79cf918
8e45b202caed2635a17b79d9df85d8e66169ed09
3270419407da4253c299f4fb34e1d588b0d8c7c1
c35953103f31b6b6a9534192cf29fb67fe5fa001
ae64a438b708c5b211cf96949b89d91ab2297ed6
5f908aef367494fb6b8939f9bd4f7dbc6d3f3690
da03582f30a629bf46dcb2fc5a9e7ecccb9e7a1e
Comment 20 Samba QA Contact 2023-08-01 10:58:12 UTC
This bug was referenced in samba v4-17-test:

517339b17553eeaa0b95b44237899d381896de68
7112efed3d40b9220bf0d32e93d4de099565743e
bac861ed27fb4dc49a6defa3e26f0ea29b6dda4f
d3c4dd68a0db924879d1f5c53fff7e511530fca2
30c14e87e2b66dd2ec4f09097394e5179c50411f
cabc229210d6af37a3250c396c7b112605898e43
0d6bc07a57252ea380e13df84bcb50e8ae23b3c9
558834c3e1323563a939386e52614ada0b3ec969
ecbba6aec277ba72e3ad0990c9ac6e0a291b0162
dc74e3e94704ce4a28a0adb8102f71abb723fae1
Comment 21 Samba QA Contact 2023-08-01 12:13:04 UTC
This bug was referenced in samba v4-19-test:

b4f10979d860606c9b412e35d5a135835526dfac
e5ea3562b394702f01777889b17aa8cd4b0619cb
37094ba8e53b157dfc5571c88eaf25cb8c619bce
3493671ce743ec42d2cb2cc74402e5feb13b32f3
66605c7c765fb8978c5d114d2fea14d0a3bd5826
9cb4754d0c4d8a0362e26ab3df67c76502000604
2f1502a70d831d2e2d59f136918276c508bcb96c
4f1156f138d9a525fea5b720995aa9adca41316b
4cd7ead4e6b5a05392eeeb25bd7bccadf8d2fc39
bffe1f5720e6eb36f51b3ca58588a283db1f9637
Comment 22 Jule Anger 2023-08-01 12:18:15 UTC
Closing out bug report.

Thanks!
Comment 23 Samba QA Contact 2023-08-08 07:20:19 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc2):

b4f10979d860606c9b412e35d5a135835526dfac
e5ea3562b394702f01777889b17aa8cd4b0619cb
37094ba8e53b157dfc5571c88eaf25cb8c619bce
3493671ce743ec42d2cb2cc74402e5feb13b32f3
66605c7c765fb8978c5d114d2fea14d0a3bd5826
9cb4754d0c4d8a0362e26ab3df67c76502000604
2f1502a70d831d2e2d59f136918276c508bcb96c
4f1156f138d9a525fea5b720995aa9adca41316b
4cd7ead4e6b5a05392eeeb25bd7bccadf8d2fc39
bffe1f5720e6eb36f51b3ca58588a283db1f9637
Comment 24 Samba QA Contact 2023-08-16 16:59:01 UTC
This bug was referenced in samba v4-18-stable (Release samba-4.18.6):

3b3b92f56bf209ae3997a89481a6b30c8fbac853
364730e9dc6e6baad082ce63ba227ea310865662
c14fbf24d9600755b3a95cacedc1726e879a036c
820752e377719efe7e0ab14bcc74c16ee79cf918
8e45b202caed2635a17b79d9df85d8e66169ed09
3270419407da4253c299f4fb34e1d588b0d8c7c1
c35953103f31b6b6a9534192cf29fb67fe5fa001
ae64a438b708c5b211cf96949b89d91ab2297ed6
5f908aef367494fb6b8939f9bd4f7dbc6d3f3690
da03582f30a629bf46dcb2fc5a9e7ecccb9e7a1e
Comment 25 Samba QA Contact 2023-09-07 09:03:19 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.11):

517339b17553eeaa0b95b44237899d381896de68
7112efed3d40b9220bf0d32e93d4de099565743e
bac861ed27fb4dc49a6defa3e26f0ea29b6dda4f
d3c4dd68a0db924879d1f5c53fff7e511530fca2
30c14e87e2b66dd2ec4f09097394e5179c50411f
cabc229210d6af37a3250c396c7b112605898e43
0d6bc07a57252ea380e13df84bcb50e8ae23b3c9
558834c3e1323563a939386e52614ada0b3ec969
ecbba6aec277ba72e3ad0990c9ac6e0a291b0162
dc74e3e94704ce4a28a0adb8102f71abb723fae1