Sysprep joins fail on Samba >= 4.2.0

Tue Aug 4 11:58:41 UTC 2015

On Mon, Aug 03, 2015 at 04:42:36PM +0200, Webmaster IESCDM wrote:
> Hi,
> 
> We have a samba 4.2.2 setup compiled from source, single DC, internal DNS.
> We've been using this samba setup in production since version 4.0.3. All
> clients are Windows 7-x64.
> 
> Since we upgraded to samba 4.2.0 back in march 2015, we are not able to
> join client machines to the domain using our sysprep unattended image, but
> joining machines via the manual procedure using the Windows GUI works
> perfectly.
> 
> Perhaps we're overlooking something very obvious, but we've done 3+ weeks
> of research on the issue and we've come up to these conclusions:
> 
> - samba < 4.2.0: unattended joins using sysprep work OK
> 
> - samba >= 4.2.0 unattended joins using sysprep fail. Netsetup.log errors
> 0x54a and 1354 (ERROR_INVALID_DOMAIN_ROLE This operation is only allowed
> for the primary Domain Controller of the domain.)
> 
> To discard possible own database corruptions, we've rolled back to our past
> 4.1.17 setup and sysprep domain join works flawlessly. Then we update this
> environment to 4.2.2 and it stops working.
> 
> We've also tested pushing all our current databases from our current setup
> (4.2.2) into a 4.1.17 samba and it works!
> 
> So it leads us to think it might be a problem with some change introduced
> at 4.2.0
> regarding domain join that only shows up when trying to do unattended joins.
> 
> In case this is of any help, packet-level research using wireshark shows
> that the only difference between versions that work and those which
> doesn't
> is the following:
> 
> - samba < 4.2.0 (works): the RPC_NETL DsrGetDcNameEx2 response returns the
> DC name field as DCSERVER.DOMAIN.LOCAL and the unattended join process
> works OK from that point onwards.
> 
> - samba >= 4.2.0 (fails): the DsrGetDcNameEx2 response returns the DC name
> field as
> DCSERVER and the unattended join process doesn't work. It keeps retrying
> that
> DsrGetDcNameEx2 request to no avail.
> 
> Are there any changes on 4.2.0 that might point to this failure for
> unattended joins? Joining the domain through the usual GUI procedure in
> Windows 7 works OK using any version.

This seems to be because of this commit:

>From 927a1030d78c25dbc43b6470f9ffe8b5fe664835 Mon Sep 17 00:00:00 2001
From: Matthieu Patou <mat at matws.net>
Date: Mon, 26 Sep 2011 18:54:04 -0400
Subject: [PATCH] s4-netlogon: do not add \\ it has already be done in the
 fill_netlogon_samlogon_response

Reviewed-By: Andrew Bartlett <abarlett at samba.org>
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 5cc3b34..d916107 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -1840,7 +1840,9 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call,
 
 	info = talloc(mem_ctx, struct netr_DsRGetDCNameInfo);
 	W_ERROR_HAVE_NO_MEMORY(info);
-	info->dc_unc           = talloc_asprintf(mem_ctx, "\\\\%s", dc_name);
+	info->dc_unc = talloc_asprintf(mem_ctx, "%s%s",
+			dc_name[0] == '\\'? "\\\\":"",
+			talloc_strdup(mem_ctx, dc_name));
 	W_ERROR_HAVE_NO_MEMORY(info->dc_unc);
 
 	load_interface_list(mem_ctx, lp_ctx, &ifaces);


If I revert that commit in samba 4.2.3 domain joins using sysprep starts
working again.

Does anybody know what breaks by reverting this patch, or if there is another
way to fix it?

Best regards,

David

> 
> NB. We are using a .local TLD, and our current fileserver is the same as
> the DC. We missed those recommendations
> 
> Thanks in advance for any help
> 
> Regards,
> 
> IT Team IES Chan do Monte
> 

