13167 – Can't authenticate user from child-domain of trusted forest

Bug 13167 - Can't authenticate user from child-domain of trusted forest

Summary: Can't authenticate user from child-domain of trusted forest

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Ralph Böhme
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-11-26 18:36 UTC by Ralph Böhme
Modified:	2017-12-01 16:43 UTC (History)
CC List:	1 user (show)

See Also:	12851 13173

Attachments
Patch that went into master (5.27 KB, patch) 2017-11-29 15:09 UTC, Ralph Böhme	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ralph Böhme 2017-11-26 18:36:10 UTC

Trying to authenticate a user from a child-domain SUBDOM11 of a trusted AD forest fails, because when trying to connect to the DC of root-domain of the trusted forrest in order to enumerate  (in-forest) trusts, we fail to establish a netlogon connection:

[2017/11/26 19:20:40.391079,  1, pid=24889] ../source3/winbindd/winbindd_cm.c:3252(cm_connect_netlogon_transport)
  rpccli_create_netlogon_creds failed for WDOM1, unable to create NETLOGON credentials: NT_STATUS_INVALID_PARAMETER

Because of this the user's domain SUBDOM11 is not in the winbind TDC cache:

$ bin/wbinfo -m --verbose
Domain Name     DNS Domain            Trust Type  Transitive  In   Out
BUILTIN                               None        Yes         Yes  Yes
TITAN                                 None        Yes         Yes  Yes
WDOM2           wdom2.site            None        Yes         Yes  Yes
WDOM1           wdom1.site            Forest      Yes         Yes  Yes

It should look like this:

$ bin/wbinfo -m --verbose
Domain Name     DNS Domain            Trust Type  Transitive  In   Out
BUILTIN                               None        Yes         Yes  Yes
TITAN                                 None        Yes         Yes  Yes
WDOM2           wdom2.site            None        Yes         Yes  Yes
WDOM1           wdom1.site            Forest      Yes         Yes  Yes
SUBDOM11        subdom11.wdom1.site   Forest      Yes         Yes  Yes
TREER11         treer11.site          Forest      Yes         Yes  Yes

Have WIP patch, need bugnumber.

This is a regression introduced by d7e31d9f4d9ce7395e458ac341dd83ac06255a20 "winbindd: Use rpccli_connect_netlogon".

Comment 1 Ralph Böhme 2017-11-29 09:17:09 UTC

Fwiw, this message is also logged in the log of the domain-child process of the trusted forest:

[2017/11/29 10:14:52.723321,  1, pid=19630] ../source3/winbindd/winbindd_util.c:393(trustdom_list_done)
  trustdom_list_done: Could not receive trusts for domain WDOM1

Comment 2 Ralph Böhme 2017-11-29 15:09:15 UTC

Created attachment 13822 [details]
Patch that went into master

Comment 3 Ralph Böhme 2017-11-30 09:10:00 UTC

Fixed in master by 96b44e9da57~2..96b44e9da57.