Martinx - ジェームズ
2014-Jul-21 03:34 UTC
[Samba] Feature Request: Ability to join a IPv4-Only DC, into a Dual-Stacked "Samba4 AC DC" PDC.
Hey guys! To make the adoption of IPv6 networks with Samba4 more smooth / robust, I think that it is vital to give to Samba4, the ability for it, to join a IPv4-Only Secondary DC, into a Dual-Stacked Primary DC. This doesn't work today. Otherwise, these days to enable IPv6 within a "Samba4 AC DC" network, it is a requirement to enable it, simultaneously, on each and every network controlled by your Samba4 (Am I right?). But, I truly believe that this migration to IPv6 needs to be done in small steps, one network at a time. Pragmatically speaking, `samba-tool` must be able to join a IPv4-Only Secondary DC, into a Dual-Stacked "Samba4 AC DC" and, of course, Samba4 daemons must handle this too. Exemplifying: I have two `Samba4 AC DC`, both located in my office, dual-stacked (IPv4 + IPv6), working like a charm. Now, I need to deploy a third DC, located within Amazon EC2, which does NOT have IPv6. But samba-tool fails to join it. --- 1- ubuntu-ad-1 - Master - ok - office LAN1 - IPv4 / IPv6 2- ubuntu-ad-2 - Slave1 - ok - office LAN2 - IPv4 / IPv6 3- ubuntu-ad-3 - Slave2 - can't join - AWS EC2 VPC - IPv4-Only --- At "ubuntu-ad-3", its DNS (resolv.conf) points to "IPv4 of ubuntu-ad-1 and 2", Kerberos works: --- root at ubuntu-ad-3:~# kinit administrator Password for administrator at CENTRAL.DOMAIN.COM.BR: Warning: Your password will expire in 40 days on Thu 28 Aug 2014 05:56:10 PM UTC --- But, samba-tool, when it sees the AAAA record, it then tries to use it, even if its host doesn't have IPv6 connectivity. I understand that IPv6 should be preferred but, only when the machine have it enabled... --- strace -f -e trace=network samba-tool domain join CENTRAL.DOMAIN.COM.BR <http://central.domain.com.br/> DC -Uadministrator --realm=CENTRAL.DOMAIN. COM.BR <http://com.br/> --dns-backend=BIND9_DLZ ..... [pid 1533] +++ killed by SIGKILL +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1533, si_status=SIGKILL, si_utime=0, si_stime=0} --- socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5 setsockopt(5, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0 *connect(5, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6, "2008:29Y:XXX:85Xa::66XX", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 ENETUNREACH (Network is unreachable)* ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'CENTRAL.DOMAIN.COM.BR <http://com.br/>' File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1150, in join_DC machinepass, use_ntvfs, dns_backend, promote_existing) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 76, in __init__ ctx.server = ctx.find_dc(domain) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 262, in find_dc raise Exception("Failed to find a writeable DC for domain '%s'" % domain) +++ exited with 255 +++ --- Then, I tried to remove the AAAA records from `ubuntu-ad-1 & 2`, just to check if `ubuntu-ad-3` was able o join and it joined but, it triggered a lots of errors on all DCs... Forcing me to re-provision the domain (now IPv4-Only at office too) (from scratch - I'm too lame to fix Samba4 databases, so, I restart it from the beginning (domain provision) if something bad happens). Now, I disabled IPv6 (very sad) at my office's DCs (ubuntu-ad-1 and ubuntu-ad-2), just to be able to deploy a secondary DC within Amazon EC2 (IPv4-Only networks)... :'( I think that it will be awesome to be able to mix "Dual-Stacked + IPv6-Only + IPv4-Only" Networks! Don't you guys think? This way, it will be much easier to start deploying IPv6 here and there, without enabling everywhere at once. I don't know if this is the best place to ask for a "Samba Feature Request" so, let me know it there is a better place to do it. Best Regards, Thiago Martins
Davor Vusir
2014-Jul-21 04:27 UTC
[Samba] Feature Request: Ability to join a IPv4-Only DC, into a Dual-Stacked "Samba4 AC DC" PDC.
Den 21 jul 2014 05:35 skrev "Martinx - ?????" <thiagocmartinsc at gmail.com>:> > Hey guys! > > To make the adoption of IPv6 networks with Samba4 more smooth / robust, I > think that it is vital to give to Samba4, the ability for it, to join a > IPv4-Only Secondary DC, into a Dual-Stacked Primary DC. This doesn't work > today. > > Otherwise, these days to enable IPv6 within a "Samba4 AC DC" network, itis> a requirement to enable it, simultaneously, on each and every network > controlled by your Samba4 (Am I right?). But, I truly believe that this > migration to IPv6 needs to be done in small steps, one network at a time. > > Pragmatically speaking, `samba-tool` must be able to join a IPv4-Only > Secondary DC, into a Dual-Stacked "Samba4 AC DC" and, of course, Samba4 > daemons must handle this too. > > > Exemplifying: > > > I have two `Samba4 AC DC`, both located in my office, dual-stacked (IPv4 + > IPv6), working > like a charm. > > Now, I need to deploy a third DC, located within Amazon EC2, which doesNOT> have IPv6. But samba-tool fails to join it. > > --- > 1- ubuntu-ad-1 - Master - ok - office LAN1 - IPv4 / IPv6 > 2- ubuntu-ad-2 - Slave1 - ok - office LAN2 - IPv4 / IPv6 > > 3- ubuntu-ad-3 - Slave2 - can't join - AWS EC2 VPC - IPv4-Only > --- > > At "ubuntu-ad-3", its DNS (resolv.conf) points to "IPv4 of ubuntu-ad-1 and > 2", > Kerberos works: > > --- > root at ubuntu-ad-3:~# kinit administrator > Password for administrator at CENTRAL.DOMAIN.COM.BR: > Warning: Your password will expire in 40 days on Thu 28 Aug 2014 05:56:10 > PM UTC > --- > > But, samba-tool, when it sees the AAAA record, it then tries to use it, > even if its host doesn't have IPv6 connectivity. I understand that IPv6 > should be preferred but, only when the machine have it enabled... > > --- > strace -f -e trace=network samba-tool domain join CENTRAL.DOMAIN.COM.BR > <http://central.domain.com.br/> DC -Uadministrator --realm=CENTRAL.DOMAIN. > COM.BR <http://com.br/> --dns-backend=BIND9_DLZ > ..... > [pid 1533] +++ killed by SIGKILL +++ > --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1533, > si_status=SIGKILL, si_utime=0, si_stime=0} --- > socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5 > setsockopt(5, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0 > *connect(5, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6, > "2008:29Y:XXX:85Xa::66XX", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, > 28) = -1 ENETUNREACH (Network is unreachable)* > ERROR(exception): uncaught exception - Failed to find a writeable DC for > domain 'CENTRAL.DOMAIN.COM.BR <http://com.br/>' > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line552,> in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1150, in > join_DC > machinepass, use_ntvfs, dns_backend, promote_existing) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 76, in > __init__ > ctx.server = ctx.find_dc(domain) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 262, in > find_dc > raise Exception("Failed to find a writeable DC for domain '%s'" % > domain) > +++ exited with 255 +++ > --- > > Then, I tried to remove the AAAA records from `ubuntu-ad-1 & 2`, just to > check if `ubuntu-ad-3` was able o join and it joined but, it triggered a > lots of errors on all DCs... Forcing me to re-provision the domain (now > IPv4-Only at office too) (from scratch - I'm too lame to fix Samba4 > databases, so, I restart it from the beginning (domain provision) if > something bad happens). > > Now, I disabled IPv6 (very sad) at my office's DCs (ubuntu-ad-1 and > ubuntu-ad-2), just to be able to deploy a secondary DC within Amazon EC2 > (IPv4-Only networks)... :'( > > I think that it will be awesome to be able to mix "Dual-Stacked +IPv6-Only> + IPv4-Only" Networks! Don't you guys think? This way, it will be much > easier to start deploying IPv6 here and there, without enabling everywhere > at once. > > I don't know if this is the best place to ask for a "Samba FeatureRequest"> so, let me know it there is a better place to do it. > > Best Regards, > Thiago MartinsOff topic; I'm running IPv4 only and got creating and moving DC between Sites (using BIND9_DLZ) in MMC AD Site and Services to work. I think it is sluggish, so to speak, but it works. Do you have got a spare minute to test? I'm suspecting IPv6 (dual stack) to be the cause... Regards Davor> -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Martinx - ジェームズ
2014-Jul-21 04:47 UTC
[Samba] Feature Request: Ability to join a IPv4-Only DC, into a Dual-Stacked "Samba4 AC DC" PDC.
Guys, I'm thinking here a bit more about this... Currently, I'm seeing that the Samba4 daemons hosted in a IPv4-Only machine, tries to establish the IPv6 connection, *even if it doesn't have an IPv6 address*. This seems to be a bit odd. Simplifying it: * I believe that Samba4 is using the wrong "if conditions", I mean, when a IPv4-Only Samba4 Secondary DC instance, "discovers" an AAAA address of its Primary DC, then, it tries to connect to it via IPv6 immediately (I'm seeing this on Samba logs)! But this sounds wrong. Samba4 should only tries to connect via IPv6, if, *and only if*, its machine have IPv6 connectivity. Otherwise, no matter if the PDC have IPv6, the IPv4-Only Secondary DC should not tries to connect to it via IPv6 just because that AAAA entry... Am I right?! So, if Samba4 code gets patched, to connect via IPv6 only if its machine have IPv6, instead of when it sees an AAAA entry, then, I believe that it will work the way I'm thinking it should! What do you guys think?! Best! Thiago On 21 July 2014 00:34, Martinx - ????? <thiagocmartinsc at gmail.com> wrote:> Hey guys! > > To make the adoption of IPv6 networks with Samba4 more smooth / robust, I > think that it is vital to give to Samba4, the ability for it, to join a > IPv4-Only Secondary DC, into a Dual-Stacked Primary DC. This doesn't work > today. > > Otherwise, these days to enable IPv6 within a "Samba4 AC DC" network, it > is a requirement to enable it, simultaneously, on each and every network > controlled by your Samba4 (Am I right?). But, I truly believe that this > migration to IPv6 needs to be done in small steps, one network at a time. > > Pragmatically speaking, `samba-tool` must be able to join a IPv4-Only > Secondary DC, into a Dual-Stacked "Samba4 AC DC" and, of course, Samba4 > daemons must handle this too. > > > Exemplifying: > > > I have two `Samba4 AC DC`, both located in my office, dual-stacked (IPv4 + > IPv6), working > like a charm. > > Now, I need to deploy a third DC, located within Amazon EC2, which does > NOT have IPv6. But samba-tool fails to join it. > > --- > 1- ubuntu-ad-1 - Master - ok - office LAN1 - IPv4 / IPv6 > 2- ubuntu-ad-2 - Slave1 - ok - office LAN2 - IPv4 / IPv6 > > 3- ubuntu-ad-3 - Slave2 - can't join - AWS EC2 VPC - IPv4-Only > --- > > At "ubuntu-ad-3", its DNS (resolv.conf) points to "IPv4 of ubuntu-ad-1 and > 2", > Kerberos works: > > --- > root at ubuntu-ad-3:~# kinit administrator > Password for administrator at CENTRAL.DOMAIN.COM.BR: > Warning: Your password will expire in 40 days on Thu 28 Aug 2014 05:56:10 > PM UTC > --- > > But, samba-tool, when it sees the AAAA record, it then tries to use it, > even if its host doesn't have IPv6 connectivity. I understand that IPv6 > should be preferred but, only when the machine have it enabled... > > --- > strace -f -e trace=network samba-tool domain join CENTRAL.DOMAIN.COM.BR > <http://central.domain.com.br/> DC -Uadministrator --realm=CENTRAL.DOMAIN. > COM.BR <http://com.br/> --dns-backend=BIND9_DLZ > ..... > [pid 1533] +++ killed by SIGKILL +++ > --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1533, > si_status=SIGKILL, si_utime=0, si_stime=0} --- > socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5 > setsockopt(5, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0 > *connect(5, {sa_family=AF_INET6, sin6_port=htons(389), inet_pton(AF_INET6, > "2008:29Y:XXX:85Xa::66XX", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, > 28) = -1 ENETUNREACH (Network is unreachable)* > ERROR(exception): uncaught exception - Failed to find a writeable DC for > domain 'CENTRAL.DOMAIN.COM.BR <http://com.br/>' > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 552, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1150, in > join_DC > machinepass, use_ntvfs, dns_backend, promote_existing) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 76, in > __init__ > ctx.server = ctx.find_dc(domain) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 262, in > find_dc > raise Exception("Failed to find a writeable DC for domain '%s'" % > domain) > +++ exited with 255 +++ > --- > > Then, I tried to remove the AAAA records from `ubuntu-ad-1 & 2`, just to > check if `ubuntu-ad-3` was able o join and it joined but, it triggered a > lots of errors on all DCs... Forcing me to re-provision the domain (now > IPv4-Only at office too) (from scratch - I'm too lame to fix Samba4 > databases, so, I restart it from the beginning (domain provision) if > something bad happens). > > Now, I disabled IPv6 (very sad) at my office's DCs (ubuntu-ad-1 and > ubuntu-ad-2), just to be able to deploy a secondary DC within Amazon EC2 > (IPv4-Only networks)... :'( > > I think that it will be awesome to be able to mix "Dual-Stacked + > IPv6-Only + IPv4-Only" Networks! Don't you guys think? This way, it will be > much easier to start deploying IPv6 here and there, without enabling > everywhere at once. > > I don't know if this is the best place to ask for a "Samba Feature > Request" so, let me know it there is a better place to do it. > > Best Regards, > Thiago Martins > >