[Samba] Feature Request: Ability to join a IPv4-Only DC, into a Dual-Stacked "Samba4 AC DC" PDC.

Martinx - ジェームズ thiagocmartinsc at gmail.com
Sun Jul 20 21:34:57 MDT 2014 

Hey guys!

To make the adoption of IPv6 networks with Samba4 more smooth / robust, I
think that it is vital to give to Samba4, the ability for it, to join a
IPv4-Only Secondary DC, into a Dual-Stacked Primary DC. This doesn't work
today.

Otherwise, these days to enable IPv6 within a "Samba4 AC DC" network, it is
a requirement to enable it, simultaneously, on each and every network
controlled by your Samba4 (Am I right?). But, I truly believe that this
migration to IPv6 needs to be done in small steps, one network at a time.

Pragmatically speaking, `samba-tool` must be able to join a IPv4-Only
Secondary DC, into a Dual-Stacked "Samba4 AC DC" and, of course, Samba4
daemons must handle this too.


Exemplifying:


I have two `Samba4 AC DC`, both located in my office, dual-stacked (IPv4 +
IPv6), working
like a charm.

Now, I need to deploy a third DC, located within Amazon EC2, which does NOT
have IPv6. But samba-tool fails to join it.

---
1- ubuntu-ad-1 - Master - ok - office LAN1 - IPv4 / IPv6
2- ubuntu-ad-2 - Slave1 - ok - office LAN2 - IPv4 / IPv6

3- ubuntu-ad-3 - Slave2 - can't join - AWS EC2 VPC - IPv4-Only
---

At "ubuntu-ad-3", its DNS (resolv.conf) points to "IPv4 of ubuntu-ad-1 and
2",
Kerberos works:

---
root at ubuntu-ad-3:~# kinit administrator
Password for administrator at CENTRAL.DOMAIN.COM.BR:
Warning: Your password will expire in 40 days on Thu 28 Aug 2014 05:56:10
PM UTC
---

But, samba-tool, when it sees the AAAA record, it then tries to use it,
even if its host doesn't have IPv6 connectivity. I understand that IPv6
should be preferred but, only when the machine have it enabled...

---
strace -f -e trace=network samba-tool domain join CENTRAL.DOMAIN.COM.BR
<http://central.domain.com.br/> DC -Uadministrator --realm=CENTRAL.DOMAIN.
COM.BR <http://com.br/> --dns-backend=BIND9_DLZ
.....
[pid  1533] +++ killed by SIGKILL +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1533,
si_status=SIGKILL, si_utime=0, si_stime=0} ---
socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
setsockopt(5, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0
*connect(5, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6,
"2008:29Y:XXX:85Xa::66XX", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0},
28) = -1 ENETUNREACH (Network is unreachable)*
ERROR(exception): uncaught exception - Failed to find a writeable DC for
domain 'CENTRAL.DOMAIN.COM.BR <http://com.br/>'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 552,
in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1150, in
join_DC
    machinepass, use_ntvfs, dns_backend, promote_existing)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 76, in
__init__
    ctx.server = ctx.find_dc(domain)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 262, in
find_dc
    raise Exception("Failed to find a writeable DC for domain '%s'" %
domain)
+++ exited with 255 +++
---

Then, I tried to remove the AAAA records from `ubuntu-ad-1 & 2`, just to
check if `ubuntu-ad-3` was able o join and it joined but, it triggered a
lots of errors on all DCs... Forcing me to re-provision the domain (now
IPv4-Only at office too) (from scratch - I'm too lame to fix Samba4
databases, so, I restart it from the beginning (domain provision) if
something bad happens).

Now, I disabled IPv6 (very sad) at my office's DCs (ubuntu-ad-1 and
ubuntu-ad-2), just to be able to deploy a secondary DC within Amazon EC2
(IPv4-Only networks)...     :'(

I think that it will be awesome to be able to mix "Dual-Stacked + IPv6-Only
+ IPv4-Only" Networks! Don't you guys think? This way, it will be much
easier to start deploying IPv6 here and there, without enabling everywhere
at once.

I don't know if this is the best place to ask for a "Samba Feature Request"
so, let me know it there is a better place to do it.

Best Regards,
Thiago Martins

More information about the samba mailing list