[Samba] Samba 3.5.6 - numerous regressions while running as AD member against Samba4alpha14 DC

Andriy Syrovenko andriys at gmail.com
Wed Feb 2 02:35:29 MST 2011 

Hi!

I've setup Samba4alpha14 on a FreeBSD 8.2-RC2 box as a DC which just
works serving network of a couple of dozens of Win7 clients.
Then I installed Samba 3.5.6 on another of FreeBSD box and wanted to
join it into the AD.
I've run in the following set of issues:

1. Joining domain with

"net ads join -U administrator"

fails with the following error messages:

"kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials"

and then:

"Joining domain failed: Invalid credentials".

Having spent some time in debugger I've finally managed to join the
domain by adding the following line to my smd.conf:

"client ldap sasl wrapping = seal"

2. Attempts to perform a dynamic DNS update with

"net ads dns register -P"

simply saying "DNS update failed!". Again a couple of hours of
debugging, and the problem is solved using the following patch. Please
not though that I don't really understand what this patch actually
does! :)

diff -ur samba-3.5.6.orig/source3/libaddns/dnsgss.c
samba-3.5.6/source3/libaddns/dnsgss.c
--- samba-3.5.6.orig/source3/libaddns/dnsgss.c	2010-10-07
19:41:16.000000000 +0300
+++ samba-3.5.6/source3/libaddns/dnsgss.c	2011-02-01 16:31:35.000000000 +0200
@@ -175,7 +175,7 @@
 			 * TODO: Compare id and keyname
 			 */
 			
-			if ((resp->num_additionals != 1) ||
+			if (/*(resp->num_additionals != 1) ||*/
 			    (resp->num_answers == 0) ||
 			    (resp->answers[0]->type != QTYPE_TKEY)) {
 				err = ERROR_DNS_INVALID_MESSAGE;

3. nss_winbind shows only a single group for each domain user. I mean
when I issue the 'id username' command the 'Domain Users' group is
returned as primary group for username, but memberships in any other
groups is lost. I did not found a solution for this problem.

Meanwhile I reverted to Samba 3.4.9 and it just works. I've joined the
domain without "client ldap sasl wrapping = seal" being specified in
the config file, DDNS updates just work without any patches, and group
membership resolution is also works just fine.

When replying to this mail please place me in CC as I am not
subscribed to the list (yet).

Best regards,
Andrey.

More information about the samba mailing list