When SMBD (ad member server) authenticates a user from a different domain via Kerberos, it causes winbindd to contact a domain controller of that domain. This is generally not desirable since we may not have permissions to contact that domain.
This issue was raised by VL in a comment here - https://bugzilla.samba.org/show_bug.cgi?id=11691#c4
Relation to similar bugs:
11691 - this is a bug of not being able to contact the foreign DC in some cases - we hope to avoid contacting this DC entirely.
11259 - this is about contacting *any* DC while accepting a connection, on grounds that all the information should be in the Kerberos ticket, and that contacting a DC makes that connection a bottleneck /fail point. This bug OTOH takes a more humble goal of not contacting a foreign DC. Jeremy had a WIP partial fix for that one, which may eliminate the foreign domain query (since it eliminated an LDAP query and that query is probably done to the foreign domain in our case)
Setup details and level-10 logs follow in comments.
Created attachment 11873 [details]
Created attachment 11874 [details]
This is a unified log of all winbindd processes (sorry - had to change log destination in .conf file which leads to this).
Our server is uri-vgw-4. It is connected to domain child2.domain.local (short name CHILD2). This domain has one DC - srv.child2.domain.local
The user is CHILD\childuser1, coming from domain child.domain.local (short name CHILD). This domain has one DC - dc01.child.domain.local
We also have their parent domain - domain.local (short name DOMAIN) with one DC - dc.domain.local.
These domains have a "triangle" of bidirectional trusts, i.e. CHILD and CHILD2 have a direct trust, as well as the parent-child trusts.
Serving the login starts at line 9532, with GETPWNAM request for child\childuser1.
Created attachment 11875 [details]
Basically, _wbint_QueryUser() is translated to an LDAP request to the foreign domain, if netsamlogon cache cannot be consulted. I think Jeremy's patch for https://bugzilla.samba.org/show_bug.cgi?id=11259 fixes this. Unless I'm missing something, all the rest is to our domain.
Created attachment 11882 [details]
Hmm. Maybe it's as simple as the attached patch? I've not tested this, but we just can't do getpwnam before storing our PAC into the netsamlogon_cache.tdb.
(In reply to Volker Lendecke from comment #5)
Tested it a while ago, for some reason this patch didn't prevent the foreign domain from going online, but I didn't have time to look further. Will get back to this later when I have more time (or when I have an issue which can be fixed by fixing this bug).
I guess this got fixed by the the patches from bug #11259