[Samba] Feature Request: Ability to join a IPv4-Only DC, into a Dual-Stacked "Samba4 AC DC" PDC.

Davor Vusir davortvusir at gmail.com
Sun Jul 20 22:27:46 MDT 2014 

Den 21 jul 2014 05:35 skrev "Martinx - ジェームズ" <thiagocmartinsc at gmail.com>:
>
> Hey guys!
>
> To make the adoption of IPv6 networks with Samba4 more smooth / robust, I
> think that it is vital to give to Samba4, the ability for it, to join a
> IPv4-Only Secondary DC, into a Dual-Stacked Primary DC. This doesn't work
> today.
>
> Otherwise, these days to enable IPv6 within a "Samba4 AC DC" network, it
is
> a requirement to enable it, simultaneously, on each and every network
> controlled by your Samba4 (Am I right?). But, I truly believe that this
> migration to IPv6 needs to be done in small steps, one network at a time.
>
> Pragmatically speaking, `samba-tool` must be able to join a IPv4-Only
> Secondary DC, into a Dual-Stacked "Samba4 AC DC" and, of course, Samba4
> daemons must handle this too.
>
>
> Exemplifying:
>
>
> I have two `Samba4 AC DC`, both located in my office, dual-stacked (IPv4 +
> IPv6), working
> like a charm.
>
> Now, I need to deploy a third DC, located within Amazon EC2, which does
NOT
> have IPv6. But samba-tool fails to join it.
>
> ---
> 1- ubuntu-ad-1 - Master - ok - office LAN1 - IPv4 / IPv6
> 2- ubuntu-ad-2 - Slave1 - ok - office LAN2 - IPv4 / IPv6
>
> 3- ubuntu-ad-3 - Slave2 - can't join - AWS EC2 VPC - IPv4-Only
> ---
>
> At "ubuntu-ad-3", its DNS (resolv.conf) points to "IPv4 of ubuntu-ad-1 and
> 2",
> Kerberos works:
>
> ---
> root at ubuntu-ad-3:~# kinit administrator
> Password for administrator at CENTRAL.DOMAIN.COM.BR:
> Warning: Your password will expire in 40 days on Thu 28 Aug 2014 05:56:10
> PM UTC
> ---
>
> But, samba-tool, when it sees the AAAA record, it then tries to use it,
> even if its host doesn't have IPv6 connectivity. I understand that IPv6
> should be preferred but, only when the machine have it enabled...
>
> ---
> strace -f -e trace=network samba-tool domain join CENTRAL.DOMAIN.COM.BR
> <http://central.domain.com.br/> DC -Uadministrator --realm=CENTRAL.DOMAIN.
> COM.BR <http://com.br/> --dns-backend=BIND9_DLZ
> .....
> [pid  1533] +++ killed by SIGKILL +++
> --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1533,
> si_status=SIGKILL, si_utime=0, si_stime=0} ---
> socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
> setsockopt(5, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0
> *connect(5, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6,
> "2008:29Y:XXX:85Xa::66XX", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0},
> 28) = -1 ENETUNREACH (Network is unreachable)*
> ERROR(exception): uncaught exception - Failed to find a writeable DC for
> domain 'CENTRAL.DOMAIN.COM.BR <http://com.br/>'
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
552,
> in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1150, in
> join_DC
>     machinepass, use_ntvfs, dns_backend, promote_existing)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 76, in
> __init__
>     ctx.server = ctx.find_dc(domain)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 262, in
> find_dc
>     raise Exception("Failed to find a writeable DC for domain '%s'" %
> domain)
> +++ exited with 255 +++
> ---
>
> Then, I tried to remove the AAAA records from `ubuntu-ad-1 & 2`, just to
> check if `ubuntu-ad-3` was able o join and it joined but, it triggered a
> lots of errors on all DCs... Forcing me to re-provision the domain (now
> IPv4-Only at office too) (from scratch - I'm too lame to fix Samba4
> databases, so, I restart it from the beginning (domain provision) if
> something bad happens).
>
> Now, I disabled IPv6 (very sad) at my office's DCs (ubuntu-ad-1 and
> ubuntu-ad-2), just to be able to deploy a secondary DC within Amazon EC2
> (IPv4-Only networks)...     :'(
>
> I think that it will be awesome to be able to mix "Dual-Stacked +
IPv6-Only
> + IPv4-Only" Networks! Don't you guys think? This way, it will be much
> easier to start deploying IPv6 here and there, without enabling everywhere
> at once.
>
> I don't know if this is the best place to ask for a "Samba Feature
Request"
> so, let me know it there is a better place to do it.
>
> Best Regards,
> Thiago Martins

Off topic; I'm running IPv4 only and got creating and moving DC between
Sites (using BIND9_DLZ) in MMC AD Site and Services to work. I think it is
sluggish, so to speak, but it works. Do you have got a spare minute to
test? I'm suspecting IPv6 (dual stack) to be the cause...

Regards
Davor

> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list