Bug 1199734 - Cannot join windows domain with YaST
Cannot join windows domain with YaST
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Samba
Leap 15.4
x86-64 openSUSE Leap 15.4
: P5 - None : Normal (vote)
: ---
Assigned To: Samuel Cabrero
The 'Opening Windows to a Wider World' guys
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-19 19:20 UTC by robert spitzenpfeil
Modified: 2022-08-04 11:48 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description robert spitzenpfeil 2022-05-19 19:20:29 UTC
There appears to be some issue with "FSMO roles".

Essentially joining a windows domain works just fine with Leap 15.0 / 15.1 / 15.2 (mostly) and fails with 15.3

Depending on which DC our round robin DNS returns to the client, one either gets a valid response for the LDAP server or (null).

Lengthy discussion in the forum:

https://forums.opensuse.org/showthread.php/570134-Joining-a-windows-domain-using-YaST-fundamental-changes-since-Leap-15-2-3-4
Comment 1 robert spitzenpfeil 2022-05-19 19:23:15 UTC
https://bugzilla.samba.org/show_bug.cgi?id=14674
Comment 2 Samuel Cabrero 2022-05-23 15:34:00 UTC
Hi Robert,

could you please check if packages from [1] fix the issue for you?

[1] https://build.opensuse.org/package/show/home:scabrero:bsc1199734/samba
Comment 3 robert spitzenpfeil 2022-05-23 17:47:36 UTC
Leap 15.3:
==========

* "net ads info -S server-ip" looks good now - for all our DCs.
* I can join our domain without any immediate problems using YaST
* wbinfo -g / wbinfo -u work
* pam_winbind is still a no-go :-(


---

May 23 19:34:43 xxx.xxx.xxx.xxx sshd[2372]: pam_winbind(sshd:auth): [pamh: 0x55e157b31d90] ENTER: pam_sm_authenticate (flags: 0x0001)
May 23 19:34:43 xxx.xxx.xxx.xxx sshd[2372]: pam_winbind(sshd:auth): getting password (0x00000191)
May 23 19:34:43 xxx.xxx.xxx.xxx sshd[2372]: pam_winbind(sshd:auth): pam_get_item returned a password
May 23 19:34:43 xxx.xxx.xxx.xxx sshd[2372]: pam_winbind(sshd:auth): Verify user 'ADS\XXXXXXX'
May 23 19:34:43 xxx.xxx.xxx.xxx sshd[2372]: pam_winbind(sshd:auth): CONFIG file: krb5_ccache_type 'FILE'
May 23 19:34:43 xxx.xxx.xxx.xxx sshd[2372]: pam_winbind(sshd:auth): [pamh: 0x55e157b31d90] LEAVE: pam_sm_authenticate returning 10 (PAM_USER_UNKNOWN)

---



on 15.2 this part of syslog looks like this:


---
May 23 19:39:28 xxx.xxx.xxx.xxx sshd[2351]: pam_winbind(sshd:auth): getting password (0x00000190)
May 23 19:39:28 xxx.xxx.xxx.xxx sshd[2351]: pam_winbind(sshd:auth): pam_get_item returned a password
May 23 19:39:28 xxx.xxx.xxx.xxx sshd[2351]: pam_winbind(sshd:auth): user 'ADS\XXXXXXX' granted access
May 23 19:39:28 xxx.xxx.xxx.xxx sshd[2351]: pam_winbind(sshd:account): user 'ADS\XXXXXXX' granted access
---



There may be other differences between these VMs. I will have to dig a bit deeper.
Comment 4 robert spitzenpfeil 2022-05-23 18:06:14 UTC
Leap 15.4 behaves as 15.3

Firewall and apparmor are OFF.
Comment 5 robert spitzenpfeil 2022-05-23 18:29:15 UTC
There might be something off with pam_winbind and krb5. Just guessing now.
Comment 6 robert spitzenpfeil 2022-05-24 14:40:18 UTC
I just did the following experiment:

* start with a working Leap 15.2 VM, domain joined and all, fully updated.
* zypper dup upgrade to Leap 15.3, no special samba packages!


Results:

* it keeps working as before, pam_winbind does it's job as well
* net ads info -S DC-IP works for all IP (as non-root user)
* net ads info -S DC-IP is buggy as root user


???
Comment 7 robert spitzenpfeil 2022-06-13 14:49:57 UTC
Still present with current Leap 15.4
Comment 8 robert spitzenpfeil 2022-06-13 14:57:56 UTC
This might be fixed in samba 4.16.stable

https://gitlab.com/samba-team/samba/-/commit/53ac81eef24f1c60d2d9cdc9c5f21ade32275d81
Comment 9 robert spitzenpfeil 2022-06-13 15:16:17 UTC
I've just installed the following and it works for me!

---
home:markusd:samba-fresh Community 4.16.2
---
Comment 10 robert spitzenpfeil 2022-06-13 15:18:51 UTC
I'll try upgrading a few Leap 15.2 machines to 15.4 with samba 4.16.2
Comment 11 robert spitzenpfeil 2022-06-13 17:02:50 UTC
I've upgraded another host to 15.4 + samba stuff.

Left the domain and rejoined. No problems :-)
Comment 12 Samuel Cabrero 2022-06-15 12:14:41 UTC
The fix will be included in samba 4.15.8, scheduled for June 28 2022. I will keep the bug open until released.
Comment 17 Swamp Workflow Management 2022-07-29 13:16:46 UTC
SUSE-SU-2022:2586-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Micro 5.2 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Micro 5.1 (src):    ldb-2.4.3-150300.3.20.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Enterprise Storage 7.1 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2022-07-29 13:19:50 UTC
SUSE-SU-2022:2582-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1
SUSE Linux Enterprise Server 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 robert spitzenpfeil 2022-07-29 14:16:42 UTC
I will check next week if it works with Tumbleweed now + winbind logins & pam_mount etc. as far as I can compare with currently working systems (leap 15.2 / 15.4)

The crash of samba-client (bug 1200766 seems to have been fixed now as well).
Comment 20 Swamp Workflow Management 2022-08-03 22:17:56 UTC
SUSE-SU-2022:2659-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ldb-2.4.3-150400.4.8.1, samba-4.15.8+git.500.d5910280cc7-150400.3.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    ldb-2.4.3-150400.4.8.1, samba-4.15.8+git.500.d5910280cc7-150400.3.11.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    samba-4.15.8+git.500.d5910280cc7-150400.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Samuel Cabrero 2022-08-04 08:06:59 UTC
(In reply to robert spitzenpfeil from comment #19)
> I will check next week if it works with Tumbleweed now + winbind logins &
> pam_mount etc. as far as I can compare with currently working systems (leap
> 15.2 / 15.4)
> 
> The crash of samba-client (bug 1200766 seems to have been fixed now as well).

Fixed and released, please reopen if necessary.
Comment 22 robert spitzenpfeil 2022-08-04 10:57:07 UTC
Joining our AD works now. Yast doesn't crash anymore.


But that's about it.


Console logins with winbind auth, ssh logins, pam_mount etc. do not work. Something in the pam stack might be wrong.

When I find some time, I will investigate further and probably open a new bug report.
Comment 23 robert spitzenpfeil 2022-08-04 11:48:21 UTC
Continuing here: https://bugzilla.opensuse.org/show_bug.cgi?id=1202141