Sysprep joins fail on Samba >= 4.2.0
daka at daka.se
Tue Aug 4 11:58:41 UTC 2015
On Mon, Aug 03, 2015 at 04:42:36PM +0200, Webmaster IESCDM wrote:
> We have a samba 4.2.2 setup compiled from source, single DC, internal DNS.
> We've been using this samba setup in production since version 4.0.3. All
> clients are Windows 7-x64.
> Since we upgraded to samba 4.2.0 back in march 2015, we are not able to
> join client machines to the domain using our sysprep unattended image, but
> joining machines via the manual procedure using the Windows GUI works
> Perhaps we're overlooking something very obvious, but we've done 3+ weeks
> of research on the issue and we've come up to these conclusions:
> - samba < 4.2.0: unattended joins using sysprep work OK
> - samba >= 4.2.0 unattended joins using sysprep fail. Netsetup.log errors
> 0x54a and 1354 (ERROR_INVALID_DOMAIN_ROLE This operation is only allowed
> for the primary Domain Controller of the domain.)
> To discard possible own database corruptions, we've rolled back to our past
> 4.1.17 setup and sysprep domain join works flawlessly. Then we update this
> environment to 4.2.2 and it stops working.
> We've also tested pushing all our current databases from our current setup
> (4.2.2) into a 4.1.17 samba and it works!
> So it leads us to think it might be a problem with some change introduced
> at 4.2.0
> regarding domain join that only shows up when trying to do unattended joins.
> In case this is of any help, packet-level research using wireshark shows
> that the only difference between versions that work and those which
> is the following:
> - samba < 4.2.0 (works): the RPC_NETL DsrGetDcNameEx2 response returns the
> DC name field as DCSERVER.DOMAIN.LOCAL and the unattended join process
> works OK from that point onwards.
> - samba >= 4.2.0 (fails): the DsrGetDcNameEx2 response returns the DC name
> field as
> DCSERVER and the unattended join process doesn't work. It keeps retrying
> DsrGetDcNameEx2 request to no avail.
> Are there any changes on 4.2.0 that might point to this failure for
> unattended joins? Joining the domain through the usual GUI procedure in
> Windows 7 works OK using any version.
This seems to be because of this commit:
>From 927a1030d78c25dbc43b6470f9ffe8b5fe664835 Mon Sep 17 00:00:00 2001
From: Matthieu Patou <mat at matws.net>
Date: Mon, 26 Sep 2011 18:54:04 -0400
Subject: [PATCH] s4-netlogon: do not add \\ it has already be done in the
Reviewed-By: Andrew Bartlett <abarlett at samba.org>
source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 5cc3b34..d916107 100644
@@ -1840,7 +1840,9 @@ static WERROR dcesrv_netr_DsRGetDCNameEx2(struct dcesrv_call_state *dce_call,
info = talloc(mem_ctx, struct netr_DsRGetDCNameInfo);
- info->dc_unc = talloc_asprintf(mem_ctx, "\\\\%s", dc_name);
+ info->dc_unc = talloc_asprintf(mem_ctx, "%s%s",
+ dc_name == '\\'? "\\\\":"",
+ talloc_strdup(mem_ctx, dc_name));
load_interface_list(mem_ctx, lp_ctx, &ifaces);
If I revert that commit in samba 4.2.3 domain joins using sysprep starts
Does anybody know what breaks by reverting this patch, or if there is another
way to fix it?
> NB. We are using a .local TLD, and our current fileserver is the same as
> the DC. We missed those recommendations
> Thanks in advance for any help
> IT Team IES Chan do Monte
More information about the samba-technical