Bugzilla – Bug 1199734
Cannot join windows domain with YaST
Last modified: 2022-08-04 11:48:21 UTC
There appears to be some issue with "FSMO roles". Essentially joining a windows domain works just fine with Leap 15.0 / 15.1 / 15.2 (mostly) and fails with 15.3 Depending on which DC our round robin DNS returns to the client, one either gets a valid response for the LDAP server or (null). Lengthy discussion in the forum: https://forums.opensuse.org/showthread.php/570134-Joining-a-windows-domain-using-YaST-fundamental-changes-since-Leap-15-2-3-4
https://bugzilla.samba.org/show_bug.cgi?id=14674
Hi Robert, could you please check if packages from [1] fix the issue for you? [1] https://build.opensuse.org/package/show/home:scabrero:bsc1199734/samba
Leap 15.3: ========== * "net ads info -S server-ip" looks good now - for all our DCs. * I can join our domain without any immediate problems using YaST * wbinfo -g / wbinfo -u work * pam_winbind is still a no-go :-( --- May 23 19:34:43 xxx.xxx.xxx.xxx sshd[2372]: pam_winbind(sshd:auth): [pamh: 0x55e157b31d90] ENTER: pam_sm_authenticate (flags: 0x0001) May 23 19:34:43 xxx.xxx.xxx.xxx sshd[2372]: pam_winbind(sshd:auth): getting password (0x00000191) May 23 19:34:43 xxx.xxx.xxx.xxx sshd[2372]: pam_winbind(sshd:auth): pam_get_item returned a password May 23 19:34:43 xxx.xxx.xxx.xxx sshd[2372]: pam_winbind(sshd:auth): Verify user 'ADS\XXXXXXX' May 23 19:34:43 xxx.xxx.xxx.xxx sshd[2372]: pam_winbind(sshd:auth): CONFIG file: krb5_ccache_type 'FILE' May 23 19:34:43 xxx.xxx.xxx.xxx sshd[2372]: pam_winbind(sshd:auth): [pamh: 0x55e157b31d90] LEAVE: pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN) --- on 15.2 this part of syslog looks like this: --- May 23 19:39:28 xxx.xxx.xxx.xxx sshd[2351]: pam_winbind(sshd:auth): getting password (0x00000190) May 23 19:39:28 xxx.xxx.xxx.xxx sshd[2351]: pam_winbind(sshd:auth): pam_get_item returned a password May 23 19:39:28 xxx.xxx.xxx.xxx sshd[2351]: pam_winbind(sshd:auth): user 'ADS\XXXXXXX' granted access May 23 19:39:28 xxx.xxx.xxx.xxx sshd[2351]: pam_winbind(sshd:account): user 'ADS\XXXXXXX' granted access --- There may be other differences between these VMs. I will have to dig a bit deeper.
Leap 15.4 behaves as 15.3 Firewall and apparmor are OFF.
There might be something off with pam_winbind and krb5. Just guessing now.
I just did the following experiment: * start with a working Leap 15.2 VM, domain joined and all, fully updated. * zypper dup upgrade to Leap 15.3, no special samba packages! Results: * it keeps working as before, pam_winbind does it's job as well * net ads info -S DC-IP works for all IP (as non-root user) * net ads info -S DC-IP is buggy as root user ???
Still present with current Leap 15.4
This might be fixed in samba 4.16.stable https://gitlab.com/samba-team/samba/-/commit/53ac81eef24f1c60d2d9cdc9c5f21ade32275d81
I've just installed the following and it works for me! --- home:markusd:samba-fresh Community 4.16.2 ---
I'll try upgrading a few Leap 15.2 machines to 15.4 with samba 4.16.2
I've upgraded another host to 15.4 + samba stuff. Left the domain and rejoined. No problems :-)
The fix will be included in samba 4.15.8, scheduled for June 28 2022. I will keep the bug open until released.
SUSE-SU-2022:2586-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496 CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746 JIRA References: Sources used: openSUSE Leap 15.3 (src): ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1 SUSE Linux Enterprise Module for Python2 15-SP3 (src): samba-4.15.8+git.500.d5910280cc7-150300.3.37.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1 SUSE Linux Enterprise Micro 5.2 (src): ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1 SUSE Linux Enterprise Micro 5.1 (src): ldb-2.4.3-150300.3.20.1 SUSE Linux Enterprise High Availability 15-SP3 (src): samba-4.15.8+git.500.d5910280cc7-150300.3.37.1 SUSE Enterprise Storage 7.1 (src): ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2582-1: An update that solves 5 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496 CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): samba-4.15.8+git.462.e73f4310487-3.68.1 SUSE Linux Enterprise Server 12-SP5 (src): samba-4.15.8+git.462.e73f4310487-3.68.1 SUSE Linux Enterprise High Availability 12-SP5 (src): samba-4.15.8+git.462.e73f4310487-3.68.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I will check next week if it works with Tumbleweed now + winbind logins & pam_mount etc. as far as I can compare with currently working systems (leap 15.2 / 15.4) The crash of samba-client (bug 1200766 seems to have been fixed now as well).
SUSE-SU-2022:2659-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496 CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746 JIRA References: Sources used: openSUSE Leap 15.4 (src): ldb-2.4.3-150400.4.8.1, samba-4.15.8+git.500.d5910280cc7-150400.3.11.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): ldb-2.4.3-150400.4.8.1, samba-4.15.8+git.500.d5910280cc7-150400.3.11.1 SUSE Linux Enterprise High Availability 15-SP4 (src): samba-4.15.8+git.500.d5910280cc7-150400.3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to robert spitzenpfeil from comment #19) > I will check next week if it works with Tumbleweed now + winbind logins & > pam_mount etc. as far as I can compare with currently working systems (leap > 15.2 / 15.4) > > The crash of samba-client (bug 1200766 seems to have been fixed now as well). Fixed and released, please reopen if necessary.
Joining our AD works now. Yast doesn't crash anymore. But that's about it. Console logins with winbind auth, ssh logins, pam_mount etc. do not work. Something in the pam stack might be wrong. When I find some time, I will investigate further and probably open a new bug report.
Continuing here: https://bugzilla.opensuse.org/show_bug.cgi?id=1202141