Domain join failing in an RODC site.
HEMANTH THUMMALA
hemanth.thummala at gmail.com
Fri Aug 30 06:52:08 MDT 2013
Hi All,
I am able to figure out the root cause. Looks like we are not doing domain
level DC discovery if we find few DCs at site level.
In the code , initially discover_dc_dns() will find DCs at site level
first. And if the number of DCs returned from site is zero then it will try
to fetch the DCs at domain level(by setting site_name to NULL).
DC validation is actually done later in process_dc_dns(). There we realize
that the list of DCs are not valid for domain join as in this case they are
not writable.
Later discover_dc_netbios attempt also failing and finally
dsgetdcname_rediscover() is failing with "domain controller not found"
error and carried back to join failure.
Here I am proposing a patch which will make this case work.
--- source3/libsmb/dsgetdcname.c.orig 2013-08-30 05:48:26.000000000 -0700
+++ source3/libsmb/dsgetdcname.c 2013-08-30 05:49:56.000000000 -0700
@@ -1152,16 +1152,28 @@ NTSTATUS dsgetdcname(TALLOC_CTX *mem_ctx
&myinfo);
done:
- SAFE_FREE(query_site);
if (!NT_STATUS_IS_OK(status)) {
if (!first) {
*info = first_info;
+ SAFE_FREE(query_site);
return NT_STATUS_OK;
}
+ else if( (query_site) && (query_site[0] != '\0') ) {
+ /* DC discovery failed at site level. Could be
there are no local writable DCs.
+ * Lets try to discover DCs at domain level by
sending site name as NULL.
+ */
+ first = false;
+ first_info = myinfo;
+ SAFE_FREE(query_site);
+ query_site = NULL;
+ goto rediscover;
+ }
+ SAFE_FREE(query_site);
return status;
}
+ SAFE_FREE(query_site);
if (!first) {
TALLOC_FREE(first_info);
} else if (!is_closest_site(myinfo)) {
I am going for rediscovery at domain level once we are unable to find valid
DCs at site level. I could have handled SAFE_FREE(query_site) better. :)
I have tested this and able to join the domain outside of RODC site. Please
let me know if this looks correct.
Thanks,
Hemanth.
On Thu, Aug 29, 2013 at 11:47 PM, Richard Sharpe <
realrichardsharpe at gmail.com> wrote:
> On Thu, Aug 29, 2013 at 11:10 AM, Stefan (metze) Metzmacher
> <metze at samba.org> wrote:
> > Hi HEMANTH,
> >
> >> When we are trying to join the domain from a site in which only
> available
> >> DC is Read Only DC, Samba server is always contacting the site local
> RODC
> >> and failing with status not supported error.
> >>
> >> Whereas other windows clients in the same site are able to contact the
> >> writable DCs outside of the site and domain join is succeeding.
> >>
> >> Looks like we are always querying the site local DC information .. Here
> is
> >> the snippet from net ads join -d10 :
> >>
> >> dsgetdcname: domain_name: FUNC, domain_guid: (null), site_name: (null),
> >> flags: 0x40001011
> >> debug_dsdcinfo_flags: 0x40001011
> >> DS_FORCE_REDISCOVERY DS_DIRECTORY_SERVICE_REQUIRED
> >> DS_WRITABLE_REQUIRED DS_RETURN_DNS_NAME
> >> sitename_fetch: Returning sitename for FUNC: "FUNC-SITE3"
> >> dsgetdcname_rediscover
> >> ads_dns_lookup_srv: Failed to resolve
> >> _ldap._tcp.FUNC-SITE3._sites.dc._msdcs.FUNC (Unknown error: 0)
> >>
> >> I also witnessed that in dsgetdcname() there is no separate query sent
> when
> >> we have flag DS_WRITABLE_REQUIRED for domain join.
> >>
> >> Bug 5917 already raised for the same. Just want to know whether this has
> >> been addressed in latest releases including samba4.
> >
> > No, it's not fixed yet, please paste the content of this mail to the bug.
>
> And also past your more recent analysis and proposed fix into the bug as
> well.
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>
More information about the samba-technical
mailing list