since introduction of winbind connection manager pam_winbind support is broken for users comming from a one-way outgoing trusted domains. pam authentication ends with message "no logon servers" reason is : machine account cant authenticate to an outgoing only trusted domain leading to set domain to offline in CM. leading also to say there's no logon server availlable. but this does not mean the domain is offline! this breaks the RED forest microsoft concept.
Created attachment 14063 [details] patch centos 7.4 here my quick fix proposal. the question is wich aproach? - improve this fix with the domain->initialized flag. - change CM way of working with the online flag. this flag could be set with basic domain->initialized plus lower connectivity tests other than authentication with machine account.
(In reply to fanch from comment #0) I guess this is only a problem if pam_winbind is configured to use krb5 (which might be the default). Create level 10 log files using this? wbinfo -p wbinfo --authenticate='DOMAIN\username' wbinfo -p wbinfo --krb5auth='DOMAIN\username' wbinfo -p wbinfo --pam-logon='DOMAIN\username' wbinfo -p
Created attachment 14079 [details] one way trust failed log with krb5 failed log with kerberos and ntlm support in forests
yes the problem does'nt shows up if you disable kerberos authentication.(but my customer needs it cause SSH/GSS) it's working thanks to the fact that the DC from our_domain is online and forwards the request to the DC of the trusted forest. but the workstation has to be able to contact directly a DC in the trusted forest. as far as know the process dc locator is looking for dns SRV record _ldap._tcp.WORKSTATION_SITE._sites.dc._msdcs.TRUSTED_FOREST and try to do netlogon on it. i'm begining to understand the point as CM is also in charge to determine site DC when preparing the connection. i'm going to try to find a way making CM working this way.
(In reply to fanch from comment #4) The correct way to do this is to also go via the primary domain for kerberos and use an enterprise principal name and then just follow the referrals we're getting. But that's a bit tricky as the kerberos libraries won't use side aware KDC lookups when following the referrals. The trick would be to use krb5_init_creds_step() and krb5_tkt_creds_step(), which allows us to do the network traffic on our own. But these need to be fixed/ported from MIT to heimdal first.
for the site kdc lookups i think we can rely on the kdc locator plugin. so krb should use the correct DC in the trusted forest. i guess do the dns locator request and inform krb via the plugin mit-krb seem to be able to manage referals by itself so it should be ok. (at least for MIT-KRB) and same goes for sam logon (i mean it's not because our DC is able to do the trusted authentication that we have to do only this). so i will try to create a new patch that do the dns request to lookup site kdcs and then inform krb with the locator plugin.
Tested on samba-4.8.3. Can get user information 1-way/non-transitive trusted Forests. winbind -join-> Forest-1 --1-Way/Non-Transitive/Outgoing/External Trust-> Forest-2. Not tested 1-way trusted domains. But yet below code not merged in 4.8.3 /* Check for Samlogon authentication */ - if (domain->online) { + if (domain->online || !(domain->domain_flags & NETR_TRUST_FLAG_INBOUND)) {