Bug 13346 - cannot authenticate users from a one way trusted domain
Summary: cannot authenticate users from a one way trusted domain
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-03-21 18:00 UTC by fanch
Modified: 2019-02-04 06:22 UTC (History)
3 users (show)

See Also:

patch centos 7.4 (1.03 KB, patch)
2018-03-21 20:14 UTC, fanch
no flags Details
one way trust failed log with krb5 (408.98 KB, text/plain)
2018-03-23 09:33 UTC, fanch
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description fanch 2018-03-21 18:00:52 UTC
since introduction of winbind connection manager pam_winbind support is broken for users comming from a one-way outgoing trusted domains.

pam authentication ends with message "no logon servers"

reason is : machine account cant authenticate to an outgoing only trusted domain leading to set domain to offline in CM. leading also to say there's no logon server availlable.

but this does not mean the domain is offline!

this breaks the RED forest microsoft concept.
Comment 1 fanch 2018-03-21 20:14:35 UTC
Created attachment 14063 [details]
patch centos 7.4

here my quick fix proposal.

the question is wich aproach? 

- improve this fix with the domain->initialized flag.

- change CM way of working with the online flag.

this flag could be set with basic domain->initialized plus lower connectivity tests other than authentication with machine account.
Comment 2 Stefan Metzmacher 2018-03-22 09:11:05 UTC
(In reply to fanch from comment #0)

I guess this is only a problem if pam_winbind is configured to use
krb5 (which might be the default).

Create level 10 log files using this?

wbinfo -p
wbinfo --authenticate='DOMAIN\username'
wbinfo -p
wbinfo --krb5auth='DOMAIN\username'
wbinfo -p
wbinfo --pam-logon='DOMAIN\username'
wbinfo -p
Comment 3 fanch 2018-03-23 09:33:40 UTC
Created attachment 14079 [details]
one way trust failed log with krb5

failed log with kerberos and ntlm support in forests
Comment 4 fanch 2018-03-23 15:18:33 UTC
yes the problem does'nt shows up if you disable kerberos authentication.(but my customer needs it cause SSH/GSS)

it's working thanks to the fact that the DC from our_domain is online and forwards the request to the DC of the trusted forest.

but the workstation has to be able to contact directly a DC in the trusted forest.

as far as know the process dc locator is looking for dns SRV record _ldap._tcp.WORKSTATION_SITE._sites.dc._msdcs.TRUSTED_FOREST and try to do netlogon on it.

i'm begining to understand the point as CM is also in charge to determine site DC when preparing the connection.

i'm going to try to find a way making CM working this way.
Comment 5 Stefan Metzmacher 2018-03-23 15:36:18 UTC
(In reply to fanch from comment #4)

The correct way to do this is to also go via the primary domain
for kerberos and use an enterprise principal name and then
just follow the referrals we're getting.

But that's a bit tricky as the kerberos libraries won't
use side aware KDC lookups when following the referrals.
The trick would be to use krb5_init_creds_step()
and krb5_tkt_creds_step(), which allows us to do the
network traffic on our own. But these need to be fixed/ported
from MIT to heimdal first.
Comment 6 fanch 2018-06-19 14:56:03 UTC
for the site kdc lookups i think we can rely on the kdc locator plugin.

so krb should use the correct DC in the trusted forest.

i guess do the dns locator request and inform krb via the plugin

mit-krb seem to be able to manage referals by itself so it should be ok. (at least for MIT-KRB)

and same goes for sam logon  (i mean it's not because our DC is able to do the trusted authentication that we have to do only this).

so i will try to create a new patch that do the dns request to lookup site kdcs and then inform krb with the locator plugin.
Comment 7 Amit Kumar 2019-02-04 06:22:48 UTC
Tested on samba-4.8.3. 
Can get user information 1-way/non-transitive trusted Forests.

winbind -join-> Forest-1 --1-Way/Non-Transitive/Outgoing/External Trust-> Forest-2.

Not tested 1-way trusted domains.
But yet below code not merged in 4.8.3
 	/* Check for Samlogon authentication */
-	if (domain->online) {
+	if (domain->online || !(domain->domain_flags & NETR_TRUST_FLAG_INBOUND)) {