<AD join failed>Samba not able to join AD-Domain in Pure IPv6

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

<AD join failed>Samba not able to join AD-Domain in Pure IPv6

okmanoj
Dear Samba-Team,

While testing samba, I found my samba client (3.5.8, 3.3.15) not able to join windows 2008 server if Only IPv6 address are enabled on server (IPv4 address is disabled from "Local Area Connection property").

I hope this is not new issue, however while debugging  this issue i found in many place samba is considering only IPv4 address (not IPv6) for example lib/util_sock.c (open_udp_socket(), interpret_addr())

Currently I am try to debug this issue, meanwhile If samba members can help me identifying any setting required for this issue it will be great and save re-work.

Please do let me know if logs are required (however it is very easy to reproduce)

Thanks in advance

Regards
Manoj
Reply | Threaded
Open this post in threaded view
|

Re: <AD join failed>Samba not able to join AD-Domain in Pure IPv6

Andrew Bartlett
On Sun, 2011-05-15 at 23:44 -0700, okmanoj wrote:

> Dear Samba-Team,
>
> While testing samba, I found my samba client (3.5.8, 3.3.15) not able to
> join windows 2008 server if Only IPv6 address are enabled on server (IPv4
> address is disabled from "Local Area Connection property").
>
> I hope this is not new issue, however while debugging  this issue i found in
> many place samba is considering only IPv4 address (not IPv6) for example
> lib/util_sock.c (open_udp_socket(), interpret_addr())
>
> Currently I am try to debug this issue, meanwhile If samba members can help
> me identifying any setting required for this issue it will be great and save
> re-work.

I would first try and use Samba 3.6 or master, but there are still parts
of the domain membership code that suffers from this problem (I noticed
this when doing other work nearby).  We know this is a problem, and it
is the goal of Samba to be IPv6 ready.

Jeremy (CC'ed) has taken a special interest in this area.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


Reply | Threaded
Open this post in threaded view
|

Re: <AD join failed>Samba not able to join AD-Domain in Pure IPv6

David Holder-2
Hi Andrew,

Let me know if I can be of any help too.

Best Regards,
David
------------------------------------------------------------------------
Dr David Holder CEng FIET MIEEE

Erion Ltd, An Cala, Inverkirkaig, Lochinver, Sutherland, IV27 4LR, UK

Reception: +44 (0)1422 207000

Direct Dial: +44 (0)131 2026317

Cell: +44 (0)7768 456831

http://www.erion.co.uk


Registered in England and Wales. Registered Number 3521142
Registered Office: Oakleigh, Upper Sutherland Road, Lightcliffe,
Halifax, HX3 8NT, UK
VAT Number: GB 698 3633 78


On 16/05/2011 15:42, Andrew Bartlett wrote:

> On Sun, 2011-05-15 at 23:44 -0700, okmanoj wrote:
>> Dear Samba-Team,
>>
>> While testing samba, I found my samba client (3.5.8, 3.3.15) not able to
>> join windows 2008 server if Only IPv6 address are enabled on server (IPv4
>> address is disabled from "Local Area Connection property").
>>
>> I hope this is not new issue, however while debugging  this issue i found in
>> many place samba is considering only IPv4 address (not IPv6) for example
>> lib/util_sock.c (open_udp_socket(), interpret_addr())
>>
>> Currently I am try to debug this issue, meanwhile If samba members can help
>> me identifying any setting required for this issue it will be great and save
>> re-work.
> I would first try and use Samba 3.6 or master, but there are still parts
> of the domain membership code that suffers from this problem (I noticed
> this when doing other work nearby).  We know this is a problem, and it
> is the goal of Samba to be IPv6 ready.
>
> Jeremy (CC'ed) has taken a special interest in this area.
>
> Andrew Bartlett
>
Reply | Threaded
Open this post in threaded view
|

Re: <AD join failed>Samba not able to join AD-Domain in Pure IPv6

Jeremy Allison
In reply to this post by okmanoj
On Sun, May 15, 2011 at 11:44:20PM -0700, okmanoj wrote:
> Dear Samba-Team,
>
> While testing samba, I found my samba client (3.5.8, 3.3.15) not able to
> join windows 2008 server if Only IPv6 address are enabled on server (IPv4
> address is disabled from "Local Area Connection property").
>
> I hope this is not new issue, however while debugging  this issue i found in
> many place samba is considering only IPv4 address (not IPv6) for example
> lib/util_sock.c (open_udp_socket(), interpret_addr())

That's not true. Check out this snippit from v3-5-test inside open_udp_socket().

1383         res = socket(ss.ss_family, SOCK_DGRAM, 0);
1384         if (res == -1) {
1385                 return -1;
1386         }
1387
1388 #if defined(HAVE_IPV6)
1389         if (ss.ss_family == AF_INET6) {
1390                 struct sockaddr_in6 *psa6;
1391                 psa6 = (struct sockaddr_in6 *)&ss;
1392                 psa6->sin6_port = htons(port);
1393                 if (psa6->sin6_scope_id == 0
1394                                 && IN6_IS_ADDR_LINKLOCAL(&psa6->sin6_addr)) {
1395                         setup_linklocal_scope_id(
1396                                 (struct sockaddr *)&ss);
1397                 }
1398         }
1399 #endif

Also note that interpret_addr() is a specifically IPv4-only function,
only used in the IPv4-only code inside nmbd (NetBIOS-only code).

AFAIK all of 3.5.8 is completely IPv6 enabled and working.

> Currently I am try to debug this issue, meanwhile If samba members can help
> me identifying any setting required for this issue it will be great and save
> re-work.
>
> Please do let me know if logs are required (however it is very easy to
> reproduce)

Please open a bug against 3.5.8 at bugzilla.samba.org and attach
level 10 logs there.

Thanks !

Jeremy.
Reply | Threaded
Open this post in threaded view
|

Re: <AD join failed>Samba not able to join AD-Domain in Pure IPv6

Kai Blin-4
In reply to this post by okmanoj
On 2011-05-16 08:44, okmanoj wrote:

Hi Manoj,

> While testing samba, I found my samba client (3.5.8, 3.3.15) not able to
> join windows 2008 server if Only IPv6 address are enabled on server (IPv4
> address is disabled from "Local Area Connection property").

I've got the feeling that used to work at some point, but I can't get it
to work for me right now, either.

> I hope this is not new issue, however while debugging  this issue i found in
> many place samba is considering only IPv4 address (not IPv6) for example
> lib/util_sock.c (open_udp_socket(), interpret_addr())

Huh? Not on my copy of v3-5-test, which shouldn't be too different from
3.5.8. Not sure about 3.3.15, but that's in security fixes only mode, so
I wouldn't hold my breath for that one being fixed.

> Currently I am try to debug this issue, meanwhile If samba members can help
> me identifying any setting required for this issue it will be great and save
> re-work.

As far as I could see, this is caused by the resolver failing to ask for
AAAA records, getting a funny reply by the windows DNS server. I've yet
to find the piece of code responsible, though.

Cheers,
Kai

--
Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
Reply | Threaded
Open this post in threaded view
|

Re: <AD join failed>Samba not able to join AD-Domain in Pure IPv6

Kai Blin-4
In reply to this post by okmanoj
On 2011-05-16 08:44, okmanoj wrote:
Hi Manoj,


> Currently I am try to debug this issue, meanwhile If samba members can help
> me identifying any setting required for this issue it will be great and save
> re-work.
>
> Please do let me know if logs are required (however it is very easy to
> reproduce)

Actually, it turns out that it's only reproducable on an IPv6-only
system, which isn't too useful, so most devs don't run one. I happen to
have a VM that is IPv6 only, so I did see it. I just spent some fun
hours with Jeremy tracking down this bug.

In short, you can stare at the Samba code all you like, that's fine.
What actually was wrong was our getaddrinfo configure check, which was
doing the wrong things in a check designed to detect an AIX bug. This
check fails on IPv6-only systems, causing Samba to fall back to our own
implementation of getaddrinfo built to work around getaddrinfo being
broken on old systems. That version is IPv4 only. The correct fix for
this was fixing the test, so we're now using the system getaddrinfo call
on systems where it's not broken, just like intended. For me, that fixes
the net join call in IPv6-only networks. We'll have a patch available
for master and 3.6.0 soon.

Cheers,
Kai

--
Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: <AD join failed>Samba not able to join AD-Domain in Pure IPv6

okmanoj
Thanks  Andrew, Jeremy, kai,

I have tried joining samba 3.3.15 also with the fix in samba v3-5-test, now AD join is working for me even in 3.3.15.

However Domain join I am facing similar issue. I feel I need to test domain join once again.

After my testing I will update samba bugzilla with all the details.

hearty Thanks to samba team for support.

Regards
Manoj
Reply | Threaded
Open this post in threaded view
|

Re: <AD join failed>Samba not able to join AD-Domain in Pure IPv6

TAKAHASHI Motonobu-2
In reply to this post by Jeremy Allison
From: Jeremy Allison <[hidden email]>
Date: Mon, 16 May 2011 12:06:20 -0700

> AFAIK all of 3.5.8 is completely IPv6 enabled and working.
>
> > Please do let me know if logs are required (however it is very easy to
> > reproduce)
>
> Please open a bug against 3.5.8 at bugzilla.samba.org and attach
> level 10 logs there.

I tried againt Samba 3.5.8 and failed. The full log is attached at
https://bugzilla.samba.org/show_bug.cgi?id=7714

-----
[2011/05/22 01:03:14.368549,  4] libads/dns.c:432(ads_dns_lookup_srv)
  ads_dns_lookup_srv: 1 records returned in the answer section.
[2011/05/22 01:03:14.368581, 10]
  libads/dns.c:213(ads_dns_parse_rr_srv)
  ads_dns_parse_rr_srv: Parsed win2k8r2srv1.w2k8r2ad1.local [0, 100,
  389]
[2011/05/22 01:03:14.368602, 10]
  libsmb/dsgetdcname.c:859(process_dc_dns)
  LDAP ping to win2k8r2srv1.w2k8r2ad1.local
[2011/05/22 01:03:14.369826,  2] libads/cldap.c:71(ads_cldap_netlogon)
  Failed to create cldap socket to fe80::5487:ac90:117c:b49c:
  NT_STATUS_INVALID_PARAMETER
-----

This shows DNS query was successed but CLDAP query was failed.
libads/cldap.c:71 calls cldap_socket_init() at libcli/cldap/cldap.c ...

---
TAKAHASHI Motonobu <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: <AD join failed>Samba not able to join AD-Domain in Pure IPv6

David Holder-2
Hi!

The problem is that you are using link-local addresses in DNS. This will
not work. Use global addresses instead. Never put link-local addresses
in DNS.

Best Regards,
David
------------------------------------------------------------------------
Dr David Holder CEng FIET MIEEE

Erion Ltd, An Cala, Inverkirkaig, Lochinver, Sutherland, IV27 4LR, UK

Reception: +44 (0)1422 207000

Direct Dial: +44 (0)131 2026317

Cell: +44 (0)7768 456831

http://www.erion.co.uk


Registered in England and Wales. Registered Number 3521142
Registered Office: Oakleigh, Upper Sutherland Road, Lightcliffe,
Halifax, HX3 8NT, UK
VAT Number: GB 698 3633 78


On 21/05/2011 17:20, TAKAHASHI Motonobu wrote:

> From: Jeremy Allison<[hidden email]>
> Date: Mon, 16 May 2011 12:06:20 -0700
>
>> AFAIK all of 3.5.8 is completely IPv6 enabled and working.
>>
>>> Please do let me know if logs are required (however it is very easy to
>>> reproduce)
>> Please open a bug against 3.5.8 at bugzilla.samba.org and attach
>> level 10 logs there.
> I tried againt Samba 3.5.8 and failed. The full log is attached at
> https://bugzilla.samba.org/show_bug.cgi?id=7714
>
> -----
> [2011/05/22 01:03:14.368549,  4] libads/dns.c:432(ads_dns_lookup_srv)
>    ads_dns_lookup_srv: 1 records returned in the answer section.
> [2011/05/22 01:03:14.368581, 10]
>    libads/dns.c:213(ads_dns_parse_rr_srv)
>    ads_dns_parse_rr_srv: Parsed win2k8r2srv1.w2k8r2ad1.local [0, 100,
>    389]
> [2011/05/22 01:03:14.368602, 10]
>    libsmb/dsgetdcname.c:859(process_dc_dns)
>    LDAP ping to win2k8r2srv1.w2k8r2ad1.local
> [2011/05/22 01:03:14.369826,  2] libads/cldap.c:71(ads_cldap_netlogon)
>    Failed to create cldap socket to fe80::5487:ac90:117c:b49c:
>    NT_STATUS_INVALID_PARAMETER
> -----
>
> This shows DNS query was successed but CLDAP query was failed.
> libads/cldap.c:71 calls cldap_socket_init() at libcli/cldap/cldap.c ...
>
> ---
> TAKAHASHI Motonobu<[hidden email]>
>
Reply | Threaded
Open this post in threaded view
|

Re: <AD join failed>Samba not able to join AD-Domain in Pure IPv6

TAKAHASHI Motonobu-2
From: David Holder <[hidden email]>
Date: Sat, 21 May 2011 17:26:43 +0100

> The problem is that you are using link-local addresses in DNS. This will
> not work. Use global addresses instead. Never put link-local addresses
> in DNS.
>
> Best Regards,
> David

Using addresses in range of 2001:0db8::/32, Samba box joined AD
running on Windows Server 2008 R2, though DNS update is still failed.

Thanks!

---
TAKAHASHI Motonobu <[hidden email]>