samba - Feb 2011 - Samba 3.5.6 - numerous regressions while running as AD member against Samba4alpha14 DC

Hi!

I've setup Samba4alpha14 on a FreeBSD 8.2-RC2 box as a DC which just
works serving network of a couple of dozens of Win7 clients.
Then I installed Samba 3.5.6 on another of FreeBSD box and wanted to
join it into the AD.
I've run in the following set of issues:

1. Joining domain with

"net ads join -U administrator"

fails with the following error messages:

"kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
credentials"

and then:

"Joining domain failed: Invalid credentials".

Having spent some time in debugger I've finally managed to join the
domain by adding the following line to my smd.conf:

"client ldap sasl wrapping = seal"

2. Attempts to perform a dynamic DNS update with

"net ads dns register -P"

simply saying "DNS update failed!". Again a couple of hours of
debugging, and the problem is solved using the following patch. Please
not though that I don't really understand what this patch actually
does! :)

diff -ur samba-3.5.6.orig/source3/libaddns/dnsgss.c
samba-3.5.6/source3/libaddns/dnsgss.c
--- samba-3.5.6.orig/source3/libaddns/dnsgss.c	2010-10-07
19:41:16.000000000 +0300
+++ samba-3.5.6/source3/libaddns/dnsgss.c	2011-02-01 16:31:35.000000000 +0200
@@ -175,7 +175,7 @@
 			 * TODO: Compare id and keyname
 			 */
 			
-			if ((resp->num_additionals != 1) ||
+			if (/*(resp->num_additionals != 1) ||*/
 			    (resp->num_answers == 0) ||
 			    (resp->answers[0]->type != QTYPE_TKEY)) {
 				err = ERROR_DNS_INVALID_MESSAGE;

3. nss_winbind shows only a single group for each domain user. I mean
when I issue the 'id username' command the 'Domain Users' group
is
returned as primary group for username, but memberships in any other
groups is lost. I did not found a solution for this problem.

Meanwhile I reverted to Samba 3.4.9 and it just works. I've joined the
domain without "client ldap sasl wrapping = seal" being specified in
the config file, DDNS updates just work without any patches, and group
membership resolution is also works just fine.

When replying to this mail please place me in CC as I am not
subscribed to the list (yet).

Best regards,
Andrey.

I think samba-technical might be a more appropriate list for this
question, since it involves Samba 4 (which is still in alpha and the
HOWTO says to discuss issues on samba-technical).  I have copied my
reply there.

On 2 February 2011 11:35, Andriy Syrovenko <andriys at gmail.com>
wrote:
> Hi!
>
> I've setup Samba4alpha14 on a FreeBSD 8.2-RC2 box as a DC which just
> works serving network of a couple of dozens of Win7 clients.
> Then I installed Samba 3.5.6 on another of FreeBSD box and wanted to
> join it into the AD.
> I've run in the following set of issues:
>
> 1. Joining domain with
>
> "net ads join -U administrator"
>
> fails with the following error messages:
>
> "kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
credentials"
>
> and then:
>
> "Joining domain failed: Invalid credentials".
Perhaps if you provide some network traces and maybe some debug level
10 logs from the client and server when you try this, someone will be
able to tell you what the problem is.
> Having spent some time in debugger I've finally managed to join the
> domain by adding the following line to my smd.conf:
>
> "client ldap sasl wrapping = seal"
>
> 2. Attempts to perform a dynamic DNS update with
>
> "net ads dns register -P"
>
> simply saying "DNS update failed!". Again a couple of hours of
> debugging, and the problem is solved using the following patch. Please
> not though that I don't really understand what this patch actually
> does! :)
>
> diff -ur samba-3.5.6.orig/source3/libaddns/dnsgss.c
> samba-3.5.6/source3/libaddns/dnsgss.c
> --- samba-3.5.6.orig/source3/libaddns/dnsgss.c ?2010-10-07
> 19:41:16.000000000 +0300
> +++ samba-3.5.6/source3/libaddns/dnsgss.c ? ? ? 2011-02-01
16:31:35.000000000 +0200
> @@ -175,7 +175,7 @@
> ? ? ? ? ? ? ? ? ? ? ? ? * TODO: Compare id and keyname
> ? ? ? ? ? ? ? ? ? ? ? ? */
>
> - ? ? ? ? ? ? ? ? ? ? ? if ((resp->num_additionals != 1) ||
> + ? ? ? ? ? ? ? ? ? ? ? if (/*(resp->num_additionals != 1) ||*/
> ? ? ? ? ? ? ? ? ? ? ? ? ? ?(resp->num_answers == 0) ||
> ? ? ? ? ? ? ? ? ? ? ? ? ? ?(resp->answers[0]->type != QTYPE_TKEY)) {
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?err = ERROR_DNS_INVALID_MESSAGE;
>
> 3. nss_winbind shows only a single group for each domain user. I mean
> when I issue the 'id username' command the 'Domain Users'
group is
> returned as primary group for username, but memberships in any other
> groups is lost. I did not found a solution for this problem.
>
> Meanwhile I reverted to Samba 3.4.9 and it just works. I've joined the
> domain without "client ldap sasl wrapping = seal" being specified
in
> the config file, DDNS updates just work without any patches, and group
> membership resolution is also works just fine.
>
> When replying to this mail please place me in CC as I am not
> subscribed to the list (yet).
>
> Best regards,
> Andrey.
-- 
Michael Wood <esiotrot at gmail.com>