Bug 11759 - winbindd contacts foreign domains in order to accept SMB connections
winbindd contacts foreign domains in order to accept SMB connections
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.3.5
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-28 19:25 UTC by Uri Simchoni
Modified: 2016-03-28 17:52 UTC (History)
3 users (show)

See Also:


Attachments
smb.conf (6.49 KB, text/plain)
2016-02-28 19:27 UTC, Uri Simchoni
no flags Details
winbindd log (1.11 MB, text/plain)
2016-02-28 19:36 UTC, Uri Simchoni
no flags Details
smbd log (822.34 KB, text/plain)
2016-02-28 19:37 UTC, Uri Simchoni
no flags Details
TEST (1.38 KB, patch)
2016-03-01 12:57 UTC, Volker Lendecke
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Uri Simchoni 2016-02-28 19:25:43 UTC
When SMBD (ad member server) authenticates a user from a different domain via Kerberos, it causes winbindd to contact a domain controller of that domain. This is generally not desirable since we may not have permissions to contact that domain.

This issue was raised by VL in a comment here - https://bugzilla.samba.org/show_bug.cgi?id=11691#c4

Relation to similar bugs:
11691 - this is a bug of not being able to contact the foreign DC in some cases - we hope to avoid contacting this DC entirely.

11259 - this is about contacting *any* DC while accepting a connection, on grounds that all the information should be in the Kerberos ticket, and that contacting a DC makes that connection a bottleneck /fail point. This bug OTOH takes a more humble goal of not contacting a foreign DC. Jeremy had a WIP partial fix for that one, which may eliminate the foreign domain query (since it eliminated an LDAP query and that query is probably done to the foreign domain in our case)

Setup details and level-10 logs follow in comments.
Comment 1 Uri Simchoni 2016-02-28 19:27:03 UTC
Created attachment 11873 [details]
smb.conf
Comment 2 Uri Simchoni 2016-02-28 19:36:44 UTC
Created attachment 11874 [details]
winbindd log

This is a unified log of all winbindd processes (sorry - had to change log destination in .conf file which leads to this).

Our server is uri-vgw-4. It is connected to domain child2.domain.local (short name CHILD2). This domain has one DC - srv.child2.domain.local

The user is CHILD\childuser1, coming from domain child.domain.local (short name CHILD). This domain has one DC - dc01.child.domain.local

We also have their parent domain - domain.local (short name DOMAIN) with one DC - dc.domain.local.

These domains have a "triangle" of bidirectional trusts, i.e. CHILD and CHILD2 have a direct trust, as well as the parent-child trusts.

Serving the login starts at line 9532, with GETPWNAM request for child\childuser1.
Comment 3 Uri Simchoni 2016-02-28 19:37:32 UTC
Created attachment 11875 [details]
smbd log
Comment 4 Uri Simchoni 2016-02-28 19:44:59 UTC
Basically, _wbint_QueryUser() is translated to an LDAP request to the foreign domain, if netsamlogon cache cannot be consulted. I think Jeremy's patch for https://bugzilla.samba.org/show_bug.cgi?id=11259 fixes this. Unless I'm missing something, all the rest is to our domain.
Comment 5 Volker Lendecke 2016-03-01 12:57:10 UTC
Created attachment 11882 [details]
TEST

Hmm. Maybe it's as simple as the attached patch? I've not tested this, but we just can't do getpwnam before storing our PAC into the netsamlogon_cache.tdb.
Comment 6 Uri Simchoni 2016-03-28 17:47:12 UTC
(In reply to Volker Lendecke from comment #5)
Tested it a while ago, for some reason this patch didn't prevent the foreign domain from going online, but I didn't have time to look further. Will get back to this later when I have more time (or when I have an issue which can be fixed by fixing this bug).

Thanks,
Uri.