Bug 12368 - winbind trusted domain scan in forest triggers errors
winbind trusted domain scan in forest triggers errors
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.5.0
All All
: P5 normal
: ---
Assigned To: Christof Schmitt
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-07 22:21 UTC by Christof Schmitt
Modified: 2016-10-10 17:54 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christof Schmitt 2016-10-07 22:21:38 UTC
Given a setup with a forest and a child domain:
example.com
subdom.example.com

When winbindd is joined as a domain member to the child domain, it tries
to contact the child domain controller and then the forest root domain
controller to discover trusted domains. Contacting the forest root
domain controller fails, resulting in an error message in the winbindd log:

[2016/10/07 15:10:38.203388,  1, pid=12113, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:352(trustdom_list_done)
  trustdom_list_done: Could not receive trusts for domain EXAMPLE

The failure is due to the domain controller of the forest root rejecting
the authentication on the netlogon pipe:

[2016/10/07 15:10:38.203273,  1, pid=12128, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:3321(cm_connect_netlogon_transport)
  rpccli_setup_netlogon_creds failed for EXAMPLE, unable to setup NETLOGON credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT
[2016/10/07 15:10:38.203298,  5, pid=12128, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:1578(trusted_domains)
  trusted_domains: Could not open a connection to EXAMPLE for PIPE_NETLOGON (NT_STATUS_NO_TRUST_SAM_ACCOUNT)
[2016/10/07 15:10:38.203312,  3, pid=12128, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains)
  winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL

This also triggers an event in the domain controller event log:

Event 3723, Netlogon

The session setup from computer 'SANDRATTLER-VM4' failed because the security database does not contain a trust account 'SANDRATTLER-VM4$' referenced by the specified computer.