[Authentication] Realm can not join Samba4 Domain

Niklas Andersson niklas.andersson at openforce.se
Sun May 4 11:10:03 PDT 2014


Hi,

 I am doing some automated testing setting up Samba4 AD DC and Realmd.

 The thing is that realm discover [Samba4-domain] gives an error:

vagrant at client002:~$ realm discover -v openforce.org
 * Resolving: _ldap._tcp.openforce.org
 * Performing LDAP DSE lookup on: 192.168.33.2
 ! Received invalid or unsupported Netlogon data from server
openforce.org
  type: kerberos
  realm-name: OPENFORCE.ORG
  domain-name: openforce.org
  configured: no


..it works when you do a discover of a Microsoft Active Directory-domain.

I think the problem lies in Samba4 AD DC not exposing certain capabilities.
The code in question in realmd is this:

realm_disco_mscldap_request (LDAP *ldap,
                             int *msgidp,
                             GError **error)
{
        char *attrs[] = { "NetLogon", NULL };
        int rc;

        rc = ldap_search_ext (ldap, "", LDAP_SCOPE_BASE,

"(&(NtVer=\\06\\00\\00\\00)(AAC=\\00\\00\\00\\00))",
                              attrs, 0, NULL, NULL, NULL,
                              -1, msgidp);

        if (rc != LDAP_SUCCESS) {
                realm_ldap_set_error (error, ldap, rc);
                return FALSE;
        }

        return TRUE;
}

Sorry, I haven't been able to decipher the LDAP-query further, I was also
able to see this using Wireshark when I wiretapped the connection.

Samba4 AD DC returns nothing, while MS AD returns...something. I haven't
been able to reproduce the query. There is something going on with
anonymous binding, and there is a query send with "NetLogon", but I haven't
been able to reproduce this query manually with any success.


 FYI: I am using samba4 4.1.6 from the Ubuntu-repo. If you know of any PPA
with current trunk, I would be grateful for that information.

Regards,
Niklas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/authentication/attachments/20140504/aabf8c7a/attachment.html>


More information about the Authentication mailing list