Bug 13167 - Can't authenticate user from child-domain of trusted forest
Summary: Can't authenticate user from child-domain of trusted forest
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Ralph Böhme
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-26 18:36 UTC by Ralph Böhme
Modified: 2017-12-01 16:43 UTC (History)
1 user (show)

See Also:


Attachments
Patch that went into master (5.27 KB, patch)
2017-11-29 15:09 UTC, Ralph Böhme
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2017-11-26 18:36:10 UTC
Trying to authenticate a user from a child-domain SUBDOM11 of a trusted AD forest fails, because when trying to connect to the DC of root-domain of the trusted forrest in order to enumerate  (in-forest) trusts, we fail to establish a netlogon connection:

[2017/11/26 19:20:40.391079,  1, pid=24889] ../source3/winbindd/winbindd_cm.c:3252(cm_connect_netlogon_transport)
  rpccli_create_netlogon_creds failed for WDOM1, unable to create NETLOGON credentials: NT_STATUS_INVALID_PARAMETER

Because of this the user's domain SUBDOM11 is not in the winbind TDC cache:

$ bin/wbinfo -m --verbose
Domain Name     DNS Domain            Trust Type  Transitive  In   Out
BUILTIN                               None        Yes         Yes  Yes
TITAN                                 None        Yes         Yes  Yes
WDOM2           wdom2.site            None        Yes         Yes  Yes
WDOM1           wdom1.site            Forest      Yes         Yes  Yes

It should look like this:

$ bin/wbinfo -m --verbose
Domain Name     DNS Domain            Trust Type  Transitive  In   Out
BUILTIN                               None        Yes         Yes  Yes
TITAN                                 None        Yes         Yes  Yes
WDOM2           wdom2.site            None        Yes         Yes  Yes
WDOM1           wdom1.site            Forest      Yes         Yes  Yes
SUBDOM11        subdom11.wdom1.site   Forest      Yes         Yes  Yes
TREER11         treer11.site          Forest      Yes         Yes  Yes

Have WIP patch, need bugnumber.

This is a regression introduced by d7e31d9f4d9ce7395e458ac341dd83ac06255a20 "winbindd: Use rpccli_connect_netlogon".
Comment 1 Ralph Böhme 2017-11-29 09:17:09 UTC
Fwiw, this message is also logged in the log of the domain-child process of the trusted forest:

[2017/11/29 10:14:52.723321,  1, pid=19630] ../source3/winbindd/winbindd_util.c:393(trustdom_list_done)
  trustdom_list_done: Could not receive trusts for domain WDOM1
Comment 2 Ralph Böhme 2017-11-29 15:09:15 UTC
Created attachment 13822 [details]
Patch that went into master
Comment 3 Ralph Böhme 2017-11-30 09:10:00 UTC
Fixed in master by 96b44e9da57~2..96b44e9da57.