When Samba is configured as a domain member in Active Directory domain and this domain has trust to other Active Directory domains, winbindd cannot use unauthenticated netlogon session to trusted domains' DCs. This results in inability to resolve users and groups of those domains. A winbindd child log for that trusted domain would have an error message: --------------------- Unwilling to make connection to domain FOO without connection level security, must set 'winbind sealed pipes = false', 'require strong key = false' to proceed --------------------- To fix this temporarily, one needs to add following options to the smb.conf: winbind sealed pipes = false require strong key = false winbind sealed pipes: PRIMARY = true require strong key: PRIMARY = true where PRIMARY is the name of primary domain Samba is joined to. Still, I'd like to see this fixed in the code.
Created attachment 11980 [details] propsed patch for master proposed patch for master
Created attachment 11981 [details] propsed patch forv v4.4 proposed patch for v4.4
Created attachment 11982 [details] propsed patch forv v4.3 proposed patch for v4.3
Created attachment 11983 [details] propsed patch forv v4.2 proposed patch for v4.2
Functionality-wise, is there a specific wbinfo command that is failing? Thanks, Uri
(In reply to Uri Simchoni from comment #5) wbinfo -a TRUSTED\user%pass
Comment on attachment 11983 [details] propsed patch forv v4.2 NACK: Sneaked in debug message whitespace fix does not belong into this patch, imho. And somehow it feels this patch doesn't do gd justice, who wrote the initial (almost identical) fix for 3.6. :-)
Comment on attachment 11980 [details] propsed patch for master NACK as for 4.2: - whitespace fix does not belong here - missing Günther's original authorship mentioned. Metze also mentioned we would like to do a better patch, conceptually. Nack-ing this so it does not get accidentially merged in this form.
Comment on attachment 11981 [details] propsed patch forv v4.4 as for other versions: patch works, but needs some amendment for upstream
Comment on attachment 11982 [details] propsed patch forv v4.3 as for other versions: patch works but needs some amendment for upstream
This patch doesn't feel right. Why are we talking to our trusted domains over NETLOGON, and why isn't the patch specific to NETLOGON connections if that is what the issue is? I would have expected this for SAMR (LSA and NETLOGON should be to our primary DC only) for user enum, but I would like to know more. This feels a bit blunt in short. Sorry,
(In reply to Andrew Bartlett from comment #11) > This patch doesn't feel right. Why are we talking to our trusted domains > over NETLOGON, and why isn't the patch specific to NETLOGON connections if > that is what the issue is? if you are DC, you don't want to talk to trusted domains's DCs with unsealed connections. If you are domain member, you don't want to talk to your DC with unsealed connection. This is what the patch does. > I would have expected this for SAMR (LSA and NETLOGON should be to our > primary DC only) for user enum, but I would like to know more. You seem to limit this somehow to domain member only while the code affects DC -> DC operation as well. > This feels a bit blunt in short. A blunt thing is to get every single domain member/dc to change the configuration explicitly to winbind sealed pipes = false require strong key = false winbind sealed pipes: PRIMARY = true require strong key: PRIMARY = true This is unbearable from maintenance and support perspective. The patch does the same implicitly and saves a lot of effort for poor people in the field.
Created attachment 12166 [details] propsed patch for master Updated patch for master addressing Michael's review points.
(In reply to Alexander Bokovoy from comment #12) I agree with Andrew, for upstream we should really try to avoid the patch in this form. We should try to remove the reason for making the connection at all. Or at least understand why we're trying the connection and then judge if we can avoid it.
Created attachment 12174 [details] patch for master Günther and I looked again at the code and debugged it further. The code changed in master and 4.4 so we think this is the correct patch.
Created attachment 12177 [details] patch for 4.3
Created attachment 12178 [details] patch for 4.4
Hi, https://lists.samba.org/archive/samba/2016-July/201563.html I get a similar problem, I can not get all trusted domain. Even with the patch., the problem is still. When I used samba-4.0.5, I join my box to domain "HC1" , I got trusted domain "CHILD2" in "wbinfo -m". [/share/Public] # wbinfo -m BUILTIN MYBOX HC1 CHILD1 TREEROOT HC2 CHILD2 Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m". [/share/Public] # wbinfo -m BUILTIN MYBOX HC1 CHILD1 TREEROOT HC2 In log.wb-HC2 , I found following message: [2016/07/26 12:02:03.981949, 5, pid=15758, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains) trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON (NT_STATUS_CANT_ACCESS_DOMAIN_INFO) [2016/07/26 12:02:03.981962, 3, pid=15758, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL [2016/07/26 12:02:03.981971, 4, pid=15758, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler) I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4: samba-4.0.5: http://i.imgur.com/ytr7oMt.jpeg samba-4.4.4: http://i.imgur.com/f5bYOeo.jpeg samba-4.4.4 did not send "create netlogon" , "netlogon binding" and DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo -m". I tried to use patch in https://bugzilla.samba.org/show_bug.cgi?id=11830 After using this patch, samba-4.4.4 can send "create netlogon" and "netlogon binding" but failed in NetrServerAuthenticate3. http://i.imgur.com/vI6eB5R.jpeg And I got these message in log.wb-HC2: 2016/07/27 16:25:50.602158, 1, pid=18689, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport) rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT [2016/07/27 16:25:50.602169, 5, pid=18689, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains) trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON (NT_STATUS_NO_TRUST_SAM_ACCOUNT) [2016/07/27 16:25:50.602182, 3, pid=18689, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains) ads: trusted_domains Should I wait for new patch?
(In reply to wuhysmb from comment #18) This is my domain enviroment and all DC are windows 2008r2 http://i.imgur.com/8cNOtm2.jpeg
i don't know about anything else on this thread, but i had the same problem as <wuhysmb> in #18 running samba-4.3.9 as contained in ubuntu 14.04 at the time i started futzing with this the other cm_connect methods seems to work fine, in source3/winbindd/winbindd_cm.c but the cm_connect_netlogon_transport seems not to be able to establish a secure connection to another forest's root (netr_ServerAuthenticate3: NT_STATUS_NO_TRUST_ACCOUNT or some- thing like that) because it doesn't look to try to bind/authen- ticate using kerberos so i dropped this return statement: https://git.samba.org/samba.git/?p=samba.git;a=blob;f=source3/winbindd/winbindd_cm.c;h=075a818936bbd8857678cd3c04df3b460db6d92d;hb=8e713282581a910b44fe541c354bf0ae9650376c#l3287 so that it hits the goto on the next line and just uses an anonymously-bound pipe (i guess?), which is what i think it was doing before on our samba 3.6 installations (yes, we are a little behind the times), and i can then do wbinfo -m and see all the child domains of other forests (just to be clear: i didn't apply any of the other patches attached to this bz or mess with smb.conf signing configs) sorry, Mr. <metze>: i wish i knew enough about how all this stuff worked to contribute a patch to fix up secure-channel establishment cross-forest, but i have no idea how any of these protocols work--i'm just a user
(In reply to Buck Huppmann from comment #20) 'wbinfo -m' can't be reliable list all domains behind transitive trusts. Beside this "cosmetic" problem, are other things falling for you?
(In reply to Stefan Metzmacher from comment #21) Ok, I found that is_trusted_domain() needs to know about a domain in order to let smb authentication to work.
Created attachment 12978 [details] Patches for v4-6-test
Created attachment 12979 [details] Patches for v4-5-test
Created attachment 12980 [details] Patch for v4-4-test
Reassigning to Karolin for inclusion in 4.4, 4.5 and 4.6.
Pushed to autobuild-v4-{4,5,6}-test.
(In reply to Stefan Metzmacher from comment #27) Pushed to all branches. Closing out bug report. Thanks!