Sysprep joins fail on Samba >= 4.2.0

Webmaster IESCDM admies at
Mon Aug 3 14:42:36 UTC 2015


We have a samba 4.2.2 setup compiled from source, single DC, internal DNS.
We've been using this samba setup in production since version 4.0.3. All
clients are Windows 7-x64.

Since we upgraded to samba 4.2.0 back in march 2015, we are not able to
join client machines to the domain using our sysprep unattended image, but
joining machines via the manual procedure using the Windows GUI works

Perhaps we're overlooking something very obvious, but we've done 3+ weeks
of research on the issue and we've come up to these conclusions:

- samba < 4.2.0: unattended joins using sysprep work OK

- samba >= 4.2.0 unattended joins using sysprep fail. Netsetup.log errors
0x54a and 1354 (ERROR_INVALID_DOMAIN_ROLE This operation is only allowed
for the primary Domain Controller of the domain.)

To discard possible own database corruptions, we've rolled back to our past
4.1.17 setup and sysprep domain join works flawlessly. Then we update this
environment to 4.2.2 and it stops working.

We've also tested pushing all our current databases from our current setup
(4.2.2) into a 4.1.17 samba and it works!

So it leads us to think it might be a problem with some change introduced
at 4.2.0
regarding domain join that only shows up when trying to do unattended joins.

In case this is of any help, packet-level research using wireshark shows
that the only difference between versions that work and those which
is the following:

- samba < 4.2.0 (works): the RPC_NETL DsrGetDcNameEx2 response returns the
DC name field as DCSERVER.DOMAIN.LOCAL and the unattended join process
works OK from that point onwards.

- samba >= 4.2.0 (fails): the DsrGetDcNameEx2 response returns the DC name
field as
DCSERVER and the unattended join process doesn't work. It keeps retrying
DsrGetDcNameEx2 request to no avail.

Are there any changes on 4.2.0 that might point to this failure for
unattended joins? Joining the domain through the usual GUI procedure in
Windows 7 works OK using any version.

NB. We are using a .local TLD, and our current fileserver is the same as
the DC. We missed those recommendations

Thanks in advance for any help


IT Team IES Chan do Monte

More information about the samba-technical mailing list