[Samba] Feature Request: Ability to join a IPv4-Only DC, into a Dual-Stacked "Samba4 AC DC" PDC.

Davor Vusir davortvusir at gmail.com
Sun Jul 20 23:02:54 MDT 2014


Den 21 jul 2014 06:48 skrev "Martinx - ジェームズ" <thiagocmartinsc at gmail.com>:
>
> Guys,
>
> I'm thinking here a bit more about this... Currently, I'm seeing that the
> Samba4 daemons hosted in a IPv4-Only machine, tries to establish the IPv6
> connection, *even if it doesn't have an IPv6 address*. This seems to be a
> bit odd.
>
> Simplifying it:
>
> * I believe that Samba4 is using the wrong "if conditions", I mean, when a
> IPv4-Only Samba4 Secondary DC instance, "discovers" an AAAA address of its
> Primary DC, then, it tries to connect to it via IPv6 immediately (I'm
> seeing this on Samba logs)! But this sounds wrong. Samba4 should only
tries
> to connect via IPv6, if, *and only if*, its machine have IPv6
connectivity.
> Otherwise, no matter if the PDC have IPv6, the IPv4-Only Secondary DC
> should not tries to connect to it via IPv6 just because that AAAA entry...
>
> Am I right?!
>

I think you're on to something. Is there a way to prioritize IPv4?

> So, if Samba4 code gets patched, to connect via IPv6 only if its machine
> have IPv6, instead of when it sees an AAAA entry, then, I believe that it
> will work the way I'm thinking it should!
>
> What do you guys think?!
>
> Best!
> Thiago
>
>
> On 21 July 2014 00:34, Martinx - ジェームズ <thiagocmartinsc at gmail.com> wrote:
>
> > Hey guys!
> >
> > To make the adoption of IPv6 networks with Samba4 more smooth / robust,
I
> > think that it is vital to give to Samba4, the ability for it, to join a
> > IPv4-Only Secondary DC, into a Dual-Stacked Primary DC. This doesn't
work
> > today.
> >
> > Otherwise, these days to enable IPv6 within a "Samba4 AC DC" network, it
> > is a requirement to enable it, simultaneously, on each and every network
> > controlled by your Samba4 (Am I right?). But, I truly believe that this
> > migration to IPv6 needs to be done in small steps, one network at a
time.
> >
> > Pragmatically speaking, `samba-tool` must be able to join a IPv4-Only
> > Secondary DC, into a Dual-Stacked "Samba4 AC DC" and, of course, Samba4
> > daemons must handle this too.
> >
> >
> > Exemplifying:
> >
> >
> > I have two `Samba4 AC DC`, both located in my office, dual-stacked
(IPv4 +
> > IPv6), working
> > like a charm.
> >
> > Now, I need to deploy a third DC, located within Amazon EC2, which does
> > NOT have IPv6. But samba-tool fails to join it.
> >
> > ---
> > 1- ubuntu-ad-1 - Master - ok - office LAN1 - IPv4 / IPv6
> > 2- ubuntu-ad-2 - Slave1 - ok - office LAN2 - IPv4 / IPv6
> >
> > 3- ubuntu-ad-3 - Slave2 - can't join - AWS EC2 VPC - IPv4-Only
> > ---
> >
> > At "ubuntu-ad-3", its DNS (resolv.conf) points to "IPv4 of ubuntu-ad-1
and
> > 2",
> > Kerberos works:
> >
> > ---
> > root at ubuntu-ad-3:~# kinit administrator
> > Password for administrator at CENTRAL.DOMAIN.COM.BR:
> > Warning: Your password will expire in 40 days on Thu 28 Aug 2014
05:56:10
> > PM UTC
> > ---
> >
> > But, samba-tool, when it sees the AAAA record, it then tries to use it,
> > even if its host doesn't have IPv6 connectivity. I understand that IPv6
> > should be preferred but, only when the machine have it enabled...
> >
> > ---
> > strace -f -e trace=network samba-tool domain join CENTRAL.DOMAIN.COM.BR
> > <http://central.domain.com.br/> DC -Uadministrator
--realm=CENTRAL.DOMAIN.
> > COM.BR <http://com.br/> --dns-backend=BIND9_DLZ
> > .....
> > [pid  1533] +++ killed by SIGKILL +++
> > --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1533,
> > si_status=SIGKILL, si_utime=0, si_stime=0} ---
> > socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
> > setsockopt(5, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0
> > *connect(5, {sa_family=AF_INET6, sin6_port=htons(389),
inet_pton(AF_INET6,
> > "2008:29Y:XXX:85Xa::66XX", &sin6_addr), sin6_flowinfo=0,
sin6_scope_id=0},
> > 28) = -1 ENETUNREACH (Network is unreachable)*
> > ERROR(exception): uncaught exception - Failed to find a writeable DC for
> > domain 'CENTRAL.DOMAIN.COM.BR <http://com.br/>'
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> > 175, in _run
> >     return self.run(*args, **kwargs)
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> > 552, in run
> >     machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1150, in
> > join_DC
> >     machinepass, use_ntvfs, dns_backend, promote_existing)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 76, in
> > __init__
> >     ctx.server = ctx.find_dc(domain)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line 262, in
> > find_dc
> >     raise Exception("Failed to find a writeable DC for domain '%s'" %
> > domain)
> > +++ exited with 255 +++
> > ---
> >
> > Then, I tried to remove the AAAA records from `ubuntu-ad-1 & 2`, just to
> > check if `ubuntu-ad-3` was able o join and it joined but, it triggered a
> > lots of errors on all DCs... Forcing me to re-provision the domain (now
> > IPv4-Only at office too) (from scratch - I'm too lame to fix Samba4
> > databases, so, I restart it from the beginning (domain provision) if
> > something bad happens).
> >
> > Now, I disabled IPv6 (very sad) at my office's DCs (ubuntu-ad-1 and
> > ubuntu-ad-2), just to be able to deploy a secondary DC within Amazon EC2
> > (IPv4-Only networks)...     :'(
> >
> > I think that it will be awesome to be able to mix "Dual-Stacked +
> > IPv6-Only + IPv4-Only" Networks! Don't you guys think? This way, it
will be
> > much easier to start deploying IPv6 here and there, without enabling
> > everywhere at once.
> >
> > I don't know if this is the best place to ask for a "Samba Feature
> > Request" so, let me know it there is a better place to do it.
> >
> > Best Regards,
> > Thiago Martins
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list