Bug 11830 - Domain member cannot resolve trusted domains' users
Domain member cannot resolve trusted domains' users
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.2.3
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-12 07:53 UTC by Alexander Bokovoy
Modified: 2016-09-24 22:52 UTC (History)
9 users (show)

See Also:


Attachments
propsed patch for master (2.13 KB, patch)
2016-04-12 08:20 UTC, Alexander Bokovoy
obnox: review-
Details
propsed patch forv v4.4 (2.30 KB, patch)
2016-04-12 08:20 UTC, Alexander Bokovoy
obnox: review-
Details
propsed patch forv v4.3 (2.46 KB, patch)
2016-04-12 08:21 UTC, Alexander Bokovoy
obnox: review-
Details
propsed patch forv v4.2 (2.58 KB, patch)
2016-04-12 08:22 UTC, Alexander Bokovoy
obnox: review-
Details
propsed patch for master (2.32 KB, patch)
2016-06-08 09:44 UTC, Alexander Bokovoy
no flags Details
patch for master (2.30 KB, patch)
2016-06-10 15:10 UTC, Andreas Schneider
no flags Details
patch for 4.3 (2.51 KB, patch)
2016-06-13 13:47 UTC, Andreas Schneider
asn: review? (gd)
Details
patch for 4.4 (2.41 KB, patch)
2016-06-13 13:47 UTC, Andreas Schneider
asn: review? (gd)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bokovoy 2016-04-12 07:53:32 UTC
When Samba is configured as a domain member in Active Directory domain and this domain has trust to other Active Directory domains, winbindd cannot use unauthenticated netlogon session to trusted domains' DCs.

This results in inability to resolve users and groups of those domains.

A winbindd child log for that trusted domain would have an error message:

---------------------
Unwilling to make connection to domain FOO without connection level security, must set 'winbind sealed pipes = false', 'require strong key = false' to proceed                                                                        
---------------------

To fix this temporarily, one needs to add following options to the smb.conf:

  winbind sealed pipes = false
  require strong key = false
  winbind sealed pipes: PRIMARY = true
  require strong key: PRIMARY = true

where PRIMARY is the name of primary domain Samba is joined to.

Still, I'd like to see this fixed in the code.
Comment 1 Alexander Bokovoy 2016-04-12 08:20:08 UTC
Created attachment 11980 [details]
propsed patch for master

proposed patch for master
Comment 2 Alexander Bokovoy 2016-04-12 08:20:39 UTC
Created attachment 11981 [details]
propsed patch forv  v4.4

proposed patch for v4.4
Comment 3 Alexander Bokovoy 2016-04-12 08:21:09 UTC
Created attachment 11982 [details]
propsed patch forv  v4.3

proposed patch for v4.3
Comment 4 Alexander Bokovoy 2016-04-12 08:22:26 UTC
Created attachment 11983 [details]
propsed patch forv  v4.2

proposed patch for v4.2
Comment 5 Uri Simchoni 2016-04-12 09:15:35 UTC
Functionality-wise, is there a specific wbinfo command that is failing?

Thanks,
Uri
Comment 6 Guenther Deschner 2016-04-12 09:17:21 UTC
(In reply to Uri Simchoni from comment #5)

wbinfo -a TRUSTED\user%pass
Comment 7 Michael Adam 2016-04-12 09:20:50 UTC
Comment on attachment 11983 [details]
propsed patch forv  v4.2

NACK:
Sneaked in debug message whitespace fix does not belong into this patch, imho.

And somehow it feels this patch doesn't do gd justice, who wrote the initial (almost identical) fix for 3.6. :-)
Comment 8 Michael Adam 2016-04-12 09:50:10 UTC
Comment on attachment 11980 [details]
propsed patch for master

NACK as for 4.2:
- whitespace fix does not belong here
- missing Günther's original authorship mentioned.

Metze also mentioned we would like to do a better patch, conceptually.

Nack-ing this so it does not get accidentially merged in this form.
Comment 9 Michael Adam 2016-04-12 09:51:16 UTC
Comment on attachment 11981 [details]
propsed patch forv  v4.4

as for other versions:
patch works, but needs some amendment for upstream
Comment 10 Michael Adam 2016-04-12 09:51:46 UTC
Comment on attachment 11982 [details]
propsed patch forv  v4.3

as for other versions:
patch works but needs some amendment for upstream
Comment 11 Andrew Bartlett 2016-04-13 01:16:39 UTC
This patch doesn't feel right.  Why are we talking to our trusted domains over NETLOGON, and why isn't the patch specific to NETLOGON connections if that is what the issue is?

I would have expected this for SAMR (LSA and NETLOGON should be to our primary DC only) for user enum, but I would like to know more.  

This feels a bit blunt in short.

Sorry,
Comment 12 Alexander Bokovoy 2016-06-08 09:43:38 UTC
  (In reply to Andrew Bartlett from comment #11)
> This patch doesn't feel right.  Why are we talking to our trusted domains
> over NETLOGON, and why isn't the patch specific to NETLOGON connections if
> that is what the issue is?
if you are DC, you don't want to talk to trusted domains's DCs with unsealed connections. If you are domain member, you don't want to talk to your DC with unsealed connection. This is what the patch does.

> I would have expected this for SAMR (LSA and NETLOGON should be to our
> primary DC only) for user enum, but I would like to know more.  
You seem to limit this somehow to domain member only while the code affects DC -> DC operation as well.

> This feels a bit blunt in short.
A blunt thing is to get every single domain member/dc to change the configuration explicitly to
  winbind sealed pipes = false
  require strong key = false
  winbind sealed pipes: PRIMARY = true
  require strong key: PRIMARY = true

This is unbearable from maintenance and support perspective. The patch does the same implicitly and saves a lot of effort for poor people in the field.
Comment 13 Alexander Bokovoy 2016-06-08 09:44:36 UTC
Created attachment 12166 [details]
propsed patch for master

Updated patch for master addressing Michael's review points.
Comment 14 Stefan Metzmacher 2016-06-08 10:56:58 UTC
(In reply to Alexander Bokovoy from comment #12)

I agree with Andrew, for upstream we should really try to avoid
the patch in this form.

We should try to remove the reason for making the connection at all.
Or at least understand why we're trying the connection and then
judge if we can avoid it.
Comment 15 Andreas Schneider 2016-06-10 15:10:08 UTC
Created attachment 12174 [details]
patch for master

Günther and I looked again at the code and debugged it further. The code changed in master and 4.4 so we think this is the correct patch.
Comment 16 Andreas Schneider 2016-06-13 13:47:28 UTC
Created attachment 12177 [details]
patch for 4.3
Comment 17 Andreas Schneider 2016-06-13 13:47:57 UTC
Created attachment 12178 [details]
patch for 4.4
Comment 18 wuhysmb 2016-07-28 08:46:09 UTC
Hi,
https://lists.samba.org/archive/samba/2016-July/201563.html

I get a similar problem, I can not get all trusted domain.

Even with the patch., the problem is still.


When I used samba-4.0.5, I join my box to domain "HC1" , I  got trusted
domain "CHILD2" in "wbinfo -m".

[/share/Public] # wbinfo -m
BUILTIN
MYBOX
HC1
CHILD1
TREEROOT
HC2
CHILD2

Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m".
[/share/Public] # wbinfo -m
BUILTIN
MYBOX
HC1
CHILD1
TREEROOT
HC2


In log.wb-HC2 , I found following message:

[2016/07/26 12:02:03.981949,  5, pid=15758, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains)
  trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
(NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2016/07/26 12:02:03.981962,  3, pid=15758, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains)
  winbindd_dual_list_trusted_domains: trusted_domains returned
NT_STATUS_UNSUCCESSFUL
[2016/07/26 12:02:03.981971,  4, pid=15758, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler)


I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4:
samba-4.0.5:
http://i.imgur.com/ytr7oMt.jpeg

samba-4.4.4:
http://i.imgur.com/f5bYOeo.jpeg

samba-4.4.4 did not send "create netlogon" , "netlogon binding" and
DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo -m".

I tried to use patch in
https://bugzilla.samba.org/show_bug.cgi?id=11830

After using this patch, samba-4.4.4 can send "create netlogon" and
"netlogon binding" but failed in NetrServerAuthenticate3.

http://i.imgur.com/vI6eB5R.jpeg

And I got these message in log.wb-HC2:
2016/07/27 16:25:50.602158,  1, pid=18689, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport)
  rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON
credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT
[2016/07/27 16:25:50.602169,  5, pid=18689, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains)
  trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
(NT_STATUS_NO_TRUST_SAM_ACCOUNT)
[2016/07/27 16:25:50.602182,  3, pid=18689, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains)
  ads: trusted_domains

Should I wait for new patch?
Comment 19 wuhysmb 2016-07-28 08:47:38 UTC
(In reply to wuhysmb from comment #18)
This is my domain enviroment and all DC are windows 2008r2

http://i.imgur.com/8cNOtm2.jpeg
Comment 20 Buck Huppmann 2016-09-24 22:52:18 UTC
i don't know about anything else on this thread, but i had the
same problem as <wuhysmb> in #18

running samba-4.3.9 as contained in ubuntu 14.04 at the time
i started futzing with this

the other cm_connect methods seems to work fine, in
source3/winbindd/winbindd_cm.c
but the cm_connect_netlogon_transport seems not to be able to
establish a secure connection to another forest's root
(netr_ServerAuthenticate3: NT_STATUS_NO_TRUST_ACCOUNT or some-
thing like that) because it doesn't look to try to bind/authen-
ticate using kerberos

so i dropped this return statement:

https://git.samba.org/samba.git/?p=samba.git;a=blob;f=source3/winbindd/winbindd_cm.c;h=075a818936bbd8857678cd3c04df3b460db6d92d;hb=8e713282581a910b44fe541c354bf0ae9650376c#l3287

so that it hits the goto on the next line and just uses an
anonymously-bound pipe (i guess?), which is what i think it
was doing before on our samba 3.6 installations (yes, we
are a little behind the times), and i can then do wbinfo -m
and see all the child domains of other forests

(just to be clear:  i didn't apply any of the other patches
attached to this bz or mess with smb.conf signing configs)

sorry, Mr. <metze>:  i wish i knew enough about how all this
stuff worked to contribute a patch to fix up secure-channel
establishment cross-forest, but i have no idea how any of
these protocols work--i'm just a user