[Samba] Feature Request: Ability to join a IPv4-Only DC, into a Dual-Stacked "Samba4 AC DC" PDC.

Martinx - ジェームズ thiagocmartinsc at gmail.com
Sun Jul 20 22:47:41 MDT 2014 

Guys,

I'm thinking here a bit more about this... Currently, I'm seeing that the
Samba4 daemons hosted in a IPv4-Only machine, tries to establish the IPv6
connection, *even if it doesn't have an IPv6 address*. This seems to be a
bit odd.

Simplifying it:

* I believe that Samba4 is using the wrong "if conditions", I mean, when a
IPv4-Only Samba4 Secondary DC instance, "discovers" an AAAA address of its
Primary DC, then, it tries to connect to it via IPv6 immediately (I'm
seeing this on Samba logs)! But this sounds wrong. Samba4 should only tries
to connect via IPv6, if, *and only if*, its machine have IPv6 connectivity.
Otherwise, no matter if the PDC have IPv6, the IPv4-Only Secondary DC
should not tries to connect to it via IPv6 just because that AAAA entry...

Am I right?!

So, if Samba4 code gets patched, to connect via IPv6 only if its machine
have IPv6, instead of when it sees an AAAA entry, then, I believe that it
will work the way I'm thinking it should!

What do you guys think?!

Best!
Thiago


On 21 July 2014 00:34, Martinx - ジェームズ <thiagocmartinsc at gmail.com> wrote:

> Hey guys!
>
> To make the adoption of IPv6 networks with Samba4 more smooth / robust, I
> think that it is vital to give to Samba4, the ability for it, to join a
> IPv4-Only Secondary DC, into a Dual-Stacked Primary DC. This doesn't work
> today.
>
> Otherwise, these days to enable IPv6 within a "Samba4 AC DC" network, it
> is a requirement to enable it, simultaneously, on each and every network
> controlled by your Samba4 (Am I right?). But, I truly believe that this
> migration to IPv6 needs to be done in small steps, one network at a time.
>
> Pragmatically speaking, `samba-tool` must be able to join a IPv4-Only
> Secondary DC, into a Dual-Stacked "Samba4 AC DC" and, of course, Samba4
> daemons must handle this too.
>
>
> Exemplifying:
>
>
> I have two `Samba4 AC DC`, both located in my office, dual-stacked (IPv4 +
> IPv6), working
> like a charm.
>
> Now, I need to deploy a third DC, located within Amazon EC2, which does
> NOT have IPv6. But samba-tool fails to join it.
>
> ---
> 1- ubuntu-ad-1 - Master - ok - office LAN1 - IPv4 / IPv6
> 2- ubuntu-ad-2 - Slave1 - ok - office LAN2 - IPv4 / IPv6
>
> 3- ubuntu-ad-3 - Slave2 - can't join - AWS EC2 VPC - IPv4-Only
> ---
>
> At "ubuntu-ad-3", its DNS (resolv.conf) points to "IPv4 of ubuntu-ad-1 and
> 2",
> Kerberos works:
>
> ---
> root at ubuntu-ad-3:~# kinit administrator
> Password for administrator at CENTRAL.DOMAIN.COM.BR:
> Warning: Your password will expire in 40 days on Thu 28 Aug 2014 05:56:10
> PM UTC
> ---
>
> But, samba-tool, when it sees the AAAA record, it then tries to use it,
> even if its host doesn't have IPv6 connectivity. I understand that IPv6
> should be preferred but, only when the machine have it enabled...
>
> ---
> strace -f -e trace=network samba-tool domain join CENTRAL.DOMAIN.COM.BR
> <http://central.domain.com.br/> DC -Uadministrator --realm=CENTRAL.DOMAIN.
> COM.BR <http://com.br/> --dns-backend=BIND9_DLZ
> .....
> [pid  1533] +++ killed by SIGKILL +++
> --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1533,
> si_status=SIGKILL, si_utime=0, si_stime=0} ---
> socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
> setsockopt(5, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0
> *connect(5, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6,
> "2008:29Y:XXX:85Xa::66XX", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0},
> 28) = -1 ENETUNREACH (Network is unreachable)*
> ERROR(exception): uncaught exception - Failed to find a writeable DC for
> domain 'CENTRAL.DOMAIN.COM.BR <http://com.br/>'
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 552, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1150, in
> join_DC
>     machinepass, use_ntvfs, dns_backend, promote_existing)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 76, in
> __init__
>     ctx.server = ctx.find_dc(domain)
>   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 262, in
> find_dc
>     raise Exception("Failed to find a writeable DC for domain '%s'" %
> domain)
> +++ exited with 255 +++
> ---
>
> Then, I tried to remove the AAAA records from `ubuntu-ad-1 & 2`, just to
> check if `ubuntu-ad-3` was able o join and it joined but, it triggered a
> lots of errors on all DCs... Forcing me to re-provision the domain (now
> IPv4-Only at office too) (from scratch - I'm too lame to fix Samba4
> databases, so, I restart it from the beginning (domain provision) if
> something bad happens).
>
> Now, I disabled IPv6 (very sad) at my office's DCs (ubuntu-ad-1 and
> ubuntu-ad-2), just to be able to deploy a secondary DC within Amazon EC2
> (IPv4-Only networks)...     :'(
>
> I think that it will be awesome to be able to mix "Dual-Stacked +
> IPv6-Only + IPv4-Only" Networks! Don't you guys think? This way, it will be
> much easier to start deploying IPv6 here and there, without enabling
> everywhere at once.
>
> I don't know if this is the best place to ask for a "Samba Feature
> Request" so, let me know it there is a better place to do it.
>
> Best Regards,
> Thiago Martins
>
>

More information about the samba mailing list