Realmd can not join Samba4 Domain

Sun May 4 13:46:42 MDT 2014

I found the debian-repo here [1]. I saw that the 4.1.7 is tagged there, so
I guess I'll get this patch with the 4.1.8 release. I guess I can wait
until then to test the realmd join. At the company I work for we are
replacing Windows-clients with Ubuntu, and we are aiming for realmd/sssd.

 In the mean time I am preparing the ground for some serious
Samba4-experiments. I am automating everything with Vagrant. If someone
should be curious you can have a look at this git-repo [2]. I am setting up
automated provisioning of both Samba4 AD DC, realmd as the client, and I
will start doing some experiments with OpenLDAP/GSSAPI/SASL and using
Samba4's Kerberos capabilities.

 My goal is full automation and full Single Sign On capabilities.

[1] git://anonscm.debian.org/pkg-samba/samba.git
[2] https://github.com/xnandersson/dcpromo-vagrant-ocn

Regards,
Niklas

2014-05-04 20:15 GMT+02:00 Niklas Andersson <niklas.andersson at openforce.se>:

> Ah, thanks a lot Stefan :) It looks like it is already solved then! I need
> to get hold of a more up2date repo!
>
> Thanks again!
>
> Regards,
> Niklas
>
>
> 2014-05-04 20:11 GMT+02:00 Stefan (metze) Metzmacher <metze at samba.org>:
>
> Hi Niklas,
>>
>> >  I am doing some automated testing setting up Samba4 AD DC and Realmd.
>> >
>> >  The thing is that realm discover [Samba4-domain] gives an error:
>> >
>> > vagrant at client002:~$ realm discover -v openforce.org
>> >  * Resolving: _ldap._tcp.openforce.org
>> >  * Performing LDAP DSE lookup on: 192.168.33.2
>> >  ! Received invalid or unsupported Netlogon data from server
>> > openforce.org
>> >   type: kerberos
>> >   realm-name: OPENFORCE.ORG
>> >   domain-name: openforce.org
>> >   configured: no
>> >
>> >
>> > ..it works when you do a discover of a Microsoft Active
>> Directory-domain.
>> >
>> > I think the problem lies in Samba4 AD DC not exposing certain
>> capabilities.
>> > The code in question in realmd is this:
>> >
>> > realm_disco_mscldap_request (LDAP *ldap,
>> >                              int *msgidp,
>> >                              GError **error)
>> > {
>> >         char *attrs[] = { "NetLogon", NULL };
>> >         int rc;
>> >
>> >         rc = ldap_search_ext (ldap, "", LDAP_SCOPE_BASE,
>> >
>> > "(&(NtVer=\\06\\00\\00\\00)(AAC=\\00\\00\\00\\00))",
>> >                               attrs, 0, NULL, NULL, NULL,
>> >                               -1, msgidp);
>> >
>> >         if (rc != LDAP_SUCCESS) {
>> >                 realm_ldap_set_error (error, ldap, rc);
>> >                 return FALSE;
>> >         }
>> >
>> >         return TRUE;
>> > }
>> >
>> > Sorry, I haven't been able to decipher the LDAP-query further, I was
>> also
>> > able to see this using Wireshark when I wiretapped the connection.
>> >
>> > Samba4 AD DC returns nothing, while MS AD returns...something. I haven't
>> > been able to reproduce the query. There is something going on with
>> > anonymous binding, and there is a query send with "NetLogin", but I
>> haven't
>> > been able to reproduce this query manually with any success.
>> >
>> >
>> >  FYI: I am using samba4 4.1.6 from the Ubuntu-repo. If you know of any
>> PPA
>> > with current trunk, I would be grateful for that information.
>>
>> This seems to be https://bugzilla.samba.org/show_bug.cgi?id=10524.
>>
>> metze
>>
>>
>