samba - Jun 2017 - samba 4.4.14 breaks classic domain

I have several Samba 4.4.x servers (Solaris 11 x86_x64) in a samba 
classic domain.    Samba patches are provided via the Oracle solaris 
package update system.


The two domain controllers are running Samba 4.4.8.


A few weeks ago I ran the latest package  updates on a non-critical 
server, which brought it up to 4.4.13.      All was OK as far as I could 
tell.  This weekend I updated packages and brought the server up to 4.1.14.

This appears to have broken compatibility with the domain.

    root at memberserver1:~# net rpc testjoin
    Join to domain 'MYDOMAIN' is not valid:
    NT_STATUS_CONNECTION_DISCONNECTED
    root at memberserver1:~#


    root at memberserver1:~# net rpc join -U Administrator -S PDCServerName
    Enter Administrator's password:
    Failed to join domain: failed to lookup DC info for domain
    'MYDOMAIN' over rpc: The transport connection is now disconnected.
    root at memberserver1:~#


    root at memberserver1:~# net rpc join -U Administrator -S PDCServerIP
    Enter Administrator's password:
    Failed to join domain: failed to lookup DC info for domain
    'MYDOMAIN' over rpc: The transport connection is now disconnected.
    root at memberserver1:~#




"nslookup PDCServer" and "ping PDCServer" both work fine.


I suspect 4.4.14 was not tested in a classic domain and that I may be 
out of luck.


Appreciate the help.


Thanks

On Tue, 2017-06-20 at 17:23 -0400, Gaiseric Vandal via samba
wrote:
> I have several Samba 4.4.x servers (Solaris 11 x86_x64) in a samba 
> classic domain.    Samba patches are provided via the Oracle solaris 
> package update system.
> 
> 
> The two domain controllers are running Samba 4.4.8.
> 
> 
> A few weeks ago I ran the latest package  updates on a non-critical 
> server, which brought it up to 4.4.13.      All was OK as far as I could 
> tell.  This weekend I updated packages and brought the server up to 4.1.14.
> 
> This appears to have broken compatibility with the domain.
> 
>     root at memberserver1:~# net rpc testjoin
>     Join to domain 'MYDOMAIN' is not valid:
>     NT_STATUS_CONNECTION_DISCONNECTED
>     root at memberserver1:~#
> 
> 
>     root at memberserver1:~# net rpc join -U Administrator -S PDCServerName
>     Enter Administrator's password:
>     Failed to join domain: failed to lookup DC info for domain
>     'MYDOMAIN' over rpc: The transport connection is now
disconnected.
>     root at memberserver1:~#
> 
> 
>     root at memberserver1:~# net rpc join -U Administrator -S PDCServerIP
>     Enter Administrator's password:
>     Failed to join domain: failed to lookup DC info for domain
>     'MYDOMAIN' over rpc: The transport connection is now
disconnected.
>     root at memberserver1:~#
> 
> 
> 
> 
> "nslookup PDCServer" and "ping PDCServer" both work
fine.
> 
> 
> I suspect 4.4.14 was not tested in a classic domain and that I may be 
> out of luck.
I would first suggest running a more recently supported version, but I
suggest that you read the logs and see where it stops.  Turn up the log
level if need be.

Samba is tested as a classic DC in our autobuild system, so this isn't
just globally broken for everyone, it will be something OS or site-
specific.

Sorry,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

I increased the logging to 10 on the problem member server.  Didn't see 
anything of interest.

I did a packet capture on the PDC while typing " net rpc testjoin"
from
both the problem member server (4.4.14) and a working member server 
(4.4.13)

e.g

        SMB:  ----- SMB Header -----
        SMB:
        SMB:  CLIENT REQUEST
        SMB:  Command code = 0x72
        SMB:  Command name =  SMBnegprot
        SMB:
        SMB:  SMB Status:
        SMB:     - Error class = No error
        SMB:     - Error code = No error
        SMB:
        SMB:  Header:
        SMB:     - Tree ID      (TID) = 0x0000
        SMB:     - Process ID   (PID) = 0xfffe
        SMB:     - User ID      (UID) = 0x0000
        SMB:     - Multiplex ID (MID) = 0x0000
        SMB:     - Flags summary = 0x18
        SMB:     - Flags2 summary = 0xc843
        SMB:
        SMB:  ByteCount = 49
        SMB:  Dialect String = NT LANMAN 1.0
        SMB:  Dialect String = NT LM 0.12
        SMB:  Dialect String = SMB 2.002
        SMB:  Dialect String = SMB 2.???
        SMB:



On the working member server, the packet capture included a lot of
"SMB"
traffic.  With the problem server,  all the "SMB" packets were empty.

e.g.

        SMB:  ----- SMB:   -----
        SMB:
        SMB:  ""
        SMB:




Both machines are configured for a max protocol of SMB2.  The problem 
machine is also configured for a  min protocol of SMB2.


testparm -v

         client ipc max protocol = default
         client max protocol = SMB2
         server max protocol = SMB2

        client ipc min protocol = SMB2
         client min protocol = SMB2
         server min protocol = SMB2

On the PDC, the log file for IP_ADDRESS_OF_PROBLEM_SERVER shows


         Non-SMB packet of length 182. Terminating server


On 06/21/17 04:52, Andrew Bartlett wrote:
> On Tue, 2017-06-20 at 17:23 -0400, Gaiseric Vandal via samba wrote:
>> I have several Samba 4.4.x servers (Solaris 11 x86_x64) in a samba
>> classic domain.    Samba patches are provided via the Oracle solaris
>> package update system.
>>
>>
>> The two domain controllers are running Samba 4.4.8.
>>
>>
>> A few weeks ago I ran the latest package  updates on a non-critical
>> server, which brought it up to 4.4.13.      All was OK as far as I
could
>> tell.  This weekend I updated packages and brought the server up to
4.1.14.
>>
>> This appears to have broken compatibility with the domain.
>>
>>      root at memberserver1:~# net rpc testjoin
>>      Join to domain 'MYDOMAIN' is not valid:
>>      NT_STATUS_CONNECTION_DISCONNECTED
>>      root at memberserver1:~#
>>
>>
>>      root at memberserver1:~# net rpc join -U Administrator -S
PDCServerName
>>      Enter Administrator's password:
>>      Failed to join domain: failed to lookup DC info for domain
>>      'MYDOMAIN' over rpc: The transport connection is now
disconnected.
>>      root at memberserver1:~#
>>
>>
>>      root at memberserver1:~# net rpc join -U Administrator -S
PDCServerIP
>>      Enter Administrator's password:
>>      Failed to join domain: failed to lookup DC info for domain
>>      'MYDOMAIN' over rpc: The transport connection is now
disconnected.
>>      root at memberserver1:~#
>>
>>
>>
>>
>> "nslookup PDCServer" and "ping PDCServer" both work
fine.
>>
>>
>> I suspect 4.4.14 was not tested in a classic domain and that I may be
>> out of luck.
> I would first suggest running a more recently supported version, but I
> suggest that you read the logs and see where it stops.  Turn up the log
> level if need be.
>
> Samba is tested as a classic DC in our autobuild system, so this isn't
> just globally broken for everyone, it will be something OS or site-
> specific.
>
> Sorry,
>
> Andrew Bartlett