Bug 11759 - winbindd contacts foreign domains in order to accept SMB connections
Summary: winbindd contacts foreign domains in order to accept SMB connections
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.3.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-02-28 19:25 UTC by Uri Simchoni
Modified: 2019-07-31 10:54 UTC (History)
4 users (show)

See Also:

smb.conf (6.49 KB, text/plain)
2016-02-28 19:27 UTC, Uri Simchoni
no flags Details
winbindd log (1.11 MB, text/plain)
2016-02-28 19:36 UTC, Uri Simchoni
no flags Details
smbd log (822.34 KB, text/plain)
2016-02-28 19:37 UTC, Uri Simchoni
no flags Details
TEST (1.38 KB, patch)
2016-03-01 12:57 UTC, Volker Lendecke
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Uri Simchoni 2016-02-28 19:25:43 UTC
When SMBD (ad member server) authenticates a user from a different domain via Kerberos, it causes winbindd to contact a domain controller of that domain. This is generally not desirable since we may not have permissions to contact that domain.

This issue was raised by VL in a comment here - https://bugzilla.samba.org/show_bug.cgi?id=11691#c4

Relation to similar bugs:
11691 - this is a bug of not being able to contact the foreign DC in some cases - we hope to avoid contacting this DC entirely.

11259 - this is about contacting *any* DC while accepting a connection, on grounds that all the information should be in the Kerberos ticket, and that contacting a DC makes that connection a bottleneck /fail point. This bug OTOH takes a more humble goal of not contacting a foreign DC. Jeremy had a WIP partial fix for that one, which may eliminate the foreign domain query (since it eliminated an LDAP query and that query is probably done to the foreign domain in our case)

Setup details and level-10 logs follow in comments.
Comment 1 Uri Simchoni 2016-02-28 19:27:03 UTC
Created attachment 11873 [details]
Comment 2 Uri Simchoni 2016-02-28 19:36:44 UTC
Created attachment 11874 [details]
winbindd log

This is a unified log of all winbindd processes (sorry - had to change log destination in .conf file which leads to this).

Our server is uri-vgw-4. It is connected to domain child2.domain.local (short name CHILD2). This domain has one DC - srv.child2.domain.local

The user is CHILD\childuser1, coming from domain child.domain.local (short name CHILD). This domain has one DC - dc01.child.domain.local

We also have their parent domain - domain.local (short name DOMAIN) with one DC - dc.domain.local.

These domains have a "triangle" of bidirectional trusts, i.e. CHILD and CHILD2 have a direct trust, as well as the parent-child trusts.

Serving the login starts at line 9532, with GETPWNAM request for child\childuser1.
Comment 3 Uri Simchoni 2016-02-28 19:37:32 UTC
Created attachment 11875 [details]
smbd log
Comment 4 Uri Simchoni 2016-02-28 19:44:59 UTC
Basically, _wbint_QueryUser() is translated to an LDAP request to the foreign domain, if netsamlogon cache cannot be consulted. I think Jeremy's patch for https://bugzilla.samba.org/show_bug.cgi?id=11259 fixes this. Unless I'm missing something, all the rest is to our domain.
Comment 5 Volker Lendecke 2016-03-01 12:57:10 UTC
Created attachment 11882 [details]

Hmm. Maybe it's as simple as the attached patch? I've not tested this, but we just can't do getpwnam before storing our PAC into the netsamlogon_cache.tdb.
Comment 6 Uri Simchoni 2016-03-28 17:47:12 UTC
(In reply to Volker Lendecke from comment #5)
Tested it a while ago, for some reason this patch didn't prevent the foreign domain from going online, but I didn't have time to look further. Will get back to this later when I have more time (or when I have an issue which can be fixed by fixing this bug).

Comment 7 Stefan Metzmacher 2019-07-31 10:54:08 UTC
I guess this got fixed by the the patches from bug #11259