Bug 13479 - ssh+gssapi+winbind not retrieving groups membership in one way trusted (ESAE) environnements
Summary: ssh+gssapi+winbind not retrieving groups membership in one way trusted (ESAE)...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.8.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-20 06:33 UTC by fanch
Modified: 2019-02-07 06:26 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description fanch 2018-06-20 06:33:40 UTC
sshd+gssapi+winbind authentication succeed but group membership is not retrieved.

AD setup is MS ESAE ad design (one admin forest,on production forest, one way trust from production forest to admin forest, selective authentication etc etc ...) production forest and admin forest are using rid backend and template shell and homedir (this setup enables the of one way forest trust working without to have to connect/bind to it)

groups are following ESAE model (admin global group included in a production local group)

when doing ssh+sspi from putty on an admin domain workstation to sshd on a ressource server authentication it succeed but group membership is limited to "domain users"(513) group  and auto private group(gid=uid).

if i fill the winbind cache with a ssh password interactive login, next ssh with gss/sspi will almost correctly show group membership (picked from cache).

after investigate i think there is no glue between ssh<->PAM(account/session)<->pam_Winbind<->winbindd  to make winbind parse the PAC from the ticket (TGS) received by sshd and validate/update the cache to reflect user group membership.

if i allow the computer to delegate kerberos tickets, ssh will storecred a full TGT ticket in ccache of the user from the trusted forest KDC but windbind will not return group membership neither (even if user env has a valid tgt that enable to directly contact the trusted admin forest).
Comment 1 Björn Jacke 2018-06-20 11:01:49 UTC
without verbose log files from client and/or server side there is not a lot anyone can say here I'm afraid. I think you need to dig deeper on your own here first.

But as you also write "if i fill the winbind cache with a ssh password interactive login, next ssh with gss/sspi will almost correctly show group membership (picked from cache)" it seems to basically work.
Comment 2 Amit Kumar 2019-02-04 06:35:19 UTC
Yes, I am able to reproduce the issue.

Forest Trust: 1-Way/Non-Transitive/Outgoing/External.
# id amitk3-dtest@dtest.com
uid=16777224(DTEST\amitk3-dtest) gid=16777282(DTEST\domain users) groups=16777282(DTEST\domain users)
//group1-dtest, group2-dtest are missing.


Forest Trust: 2-way/Transitive/Incoming/Outgoing
# id amitk3-dtest@dtest.com
uid=16777224(DTEST\amitk3-dtest) gid=16777282(DTEST\domain users) groups=16777282(DTEST\domain users),16777283(DTEST\group1-dtest),16777284(DTEST\group2-dtest)
Comment 3 Amit Kumar 2019-02-04 07:23:06 UTC
For 2-way/transitive Trusted domain:

struct lsa_TransNameArray is filled. 

              names                    : *
                  names: struct lsa_TransNameArray
                      count                    : 0x00000002 (2)
                      names                    : *
                          names: ARRAY(2)
                              names: struct lsa_TranslatedName
                                  sid_type                 : SID_NAME_DOM_GRP (2)
                                  name: struct lsa_String
                                      length                   : 0x0018 (24)
                                      size                     : 0x0018 (24)
                                      string                   : *
                                          string                   : 'group1-dtest'
                                  sid_index                : 0x00000000 (0)
                              names: struct lsa_TranslatedName
                                  sid_type                 : SID_NAME_DOM_GRP (2)
                                  name: struct lsa_String
                                      length                   : 0x001a (26)
                                      size                     : 0x001a (26)
                                      string                   : *
                                          string                   : 'group2-dtest'
                                  sid_index                : 0x00000000 (0)
              result                   : NT_STATUS_OK

But for 1-way/non-transitive/outgoing trust.
struct lsa_TransNameArray is not filled by winbind.
Comment 4 Amit Kumar 2019-02-05 07:37:22 UTC
Cannot find much in logs.

*********1 way trust************
{Forest Root}   outgoing/external/Non-Transitive {Forest Root}
atest.com     ------1way  trust---------------->     dest.com

1. trusted domain goes offline.
2. trustdom_list_done() finds SID of trusted domain different wrt 2-way trust
======log.winbind========
../source3/winbindd/winbindd_util.c:472(trustdom_list_done)  trustdom_list_done: parsing response line 'DTEST\dtest.com\S-1-5-21-4006949566-962402297-1653548521\2\2\4
  ATEST\atest.com\S-1-5-21-219570999-4236135608-484490645\29\2\0'
../source3/winbindd/winbindd_util.c:304(add_trusted_domain)  add_trusted_domain: Added domain [DTEST] [dtest.com] [S-1-5-21-4006949566-962402297-1653548521]
../source3/winbindd/winbindd_util.c:472(trustdom_list_done)  trustdom_list_done: parsing response line 'DTEST\dtest.com\S-1-5-21-4006949566-962402297-1653548521\2\2\4
  ATEST\atest.com\S-1-5-21-219570999-4236135608-484490645\29\2\0
../source3/winbindd/winbindd_util.c:472(trustdom_list_done)  trustdom_list_done: parsing response line 'ATEST\atest.com\S-1-5-21-219570999-4236135608-484490645\29\2\0

../source3/winbindd/winbindd_getpwnam.c:58(winbindd_getpwnam_send)  getpwnam amitk3-dtest@dtest.com

./source3/winbindd/winbindd_getgroups.c:62(winbindd_getgroups_send)  getgroups DTEST\amitk3-dtest

../source3/lib/messages.c:400(messaging_recv_cb)  messaging_recv_cb: Received message 0x40c len 6 (num_fds:0) from 9551
../source3/winbindd/winbindd_cm.c:368(winbind_msg_domain_offline)  Domain DTEST is marked as offline now.

../source3/winbindd/winbindd.c:825(winbind_client_response_written) winbind_client_response_written[9575:GETGROUPS]: delivered response to client
../source3/winbindd/winbindd.c:930(winbind_client_request_read)  closing socket 31, client exited
../source4/lib/messaging/messaging.c:527(imessaging_dgm_recv)  imessaging_dgm_recv: dst 9530 matches my id: 9530, type=0x40c
../source3/lib/messages.c:400(messaging_recv_cb)  messaging_recv_cb: Received message 0x40c len 6 (num_fds:0) from 9551
../source3/winbindd/winbindd_cm.c:368(winbind_msg_domain_offline)  Domain DTEST is marked as offline now.
../source3/winbindd/winbindd.c:695(process_request)  process_request: Handling async request 9548:PAM_AUTH_CRAP
../source3/winbindd/winbindd_pam_auth_crap.c:113(winbindd_pam_auth_crap_send)  [ 9548]: pam auth crap domain: [] user: guest
=========================
********************************


*********2 way trust************
{Forest Root}      Transitive                       {Forest Root}
atest.com     ------2way  trust---------------->     dest.com

=======log.winbind=======
../source3/winbindd/winbindd_util.c:472(trustdom_list_done)  trustdom_list_done: parsing response line 'DTEST\dtest.com\S-1-5-21-4006949566-962402297-1653548521\34\2\8
  ATEST\atest.com\S-1-5-21-219570999-4236135608-484490645\29\2\0'
../source3/winbindd/winbindd_util.c:304(add_trusted_domain)  add_trusted_domain: Added domain [DTEST] [dtest.com] [S-1-5-21-4006949566-962402297-1653548521]
../source3/winbindd/winbindd_util.c:472(trustdom_list_done)  trustdom_list_done: parsing response line 'DTEST\dtest.com\S-1-5-21-4006949566-962402297-1653548521\34\2\8
  ATEST\atest.com\S-1-5-21-219570999-4236135608-484490645\29\2\0'
../source3/winbindd/winbindd_util.c:472(trustdom_list_done)  trustdom_list_done: parsing response line 'ATEST\atest.com\S-1-5-21-219570999-4236135608-484490645\29\2\0'

../source3/winbindd/winbindd_util.c:739(rescan_forest_trusts)  Following trust path for domain DTEST (dtest.com)		//Not called for 1-way trust

../source3/winbindd/winbindd_getpwnam.c:58(winbindd_getpwnam_send)  getpwnam amitk3-dtest@dtest.com

[2019/02/04 01:37:46.944090, 10, pid=9358, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:307(check_domain_online_handler)  check_domain_online_handler: called for domain ATEST (online = True)		//Not called in 1 way trust

./source3/winbindd/winbindd_getgroups.c:62(winbindd_getgroups_send)  getgroups DTEST\amitk3-dtest
..
../source3/winbindd/winbindd.c:825(winbind_client_response_written)  winbind_client_response_written[9378:GETGROUPS]:
../source3/winbindd/winbindd.c:930(winbind_client_request_read)  closing socket 31, client exited
../librpc/ndr/ndr.c:471(ndr_print_function_debug)       wbint_LookupUserGroups: struct wbint_LookupUserGroups
          out: struct wbint_LookupUserGroups
              sids                     : *
                  sids: struct wbint_SidArray
                      num_sids                 : 0x00000003 (3)
                      sids: ARRAY(3)
                          sids                     : S-1-5-21-4006949566-962402297-1653548521-513
                          sids                     : S-1-5-21-4006949566-962402297-1653548521-1109
                          sids                     : S-1-5-21-4006949566-962402297-1653548521-1110
=========================
********************************
Comment 5 Amit Kumar 2019-02-06 06:22:42 UTC
log.wb-ATEST

*********1 way trust************

-> sid lookup structure(struct lsa_TranslatedName2) is not filled for sid_type "SID_NAME_DOM_GRP"

 ../source3/winbindd/winbindd_dual.c:665(child_process_request)  child_process_request: request fn AUTH_CRAP
 ../source3/winbindd/winbindd_pam.c:2426(winbindd_dual_pam_auth_crap)  [ 9530]: pam auth crap domain:  user: guest
 ../librpc/ndr/ndr.c:471(ndr_print_function_debug)       netr_LogonSamLogonEx: struct netr_LogonSamLogonEx

 ../source3/librpc/rpc/dcerpc_helpers.c:427(dcerpc_check_auth)  Requested Privacy.
../librpc/rpc/dcerpc_util.c:271(dcerpc_pull_auth_trailer)  dcerpc_pull_auth_trailer: auth_pad_length 0
 ../source3/librpc/rpc/dcerpc_helpers.c:491(dcerpc_check_auth)  GENSEC auth
 ../source3/rpc_client/cli_pipe.c:525(cli_pipe_validate_current_pdu)  Got pdu len 248, data_len 160
 ../source3/rpc_client/cli_pipe.c:978(rpc_api_pipe_got_pdu)  rpc_api_pipe: got frag len of 248 at offset 0: NT_STATUS_OK
../source3/rpc_client/cli_pipe.c:1078(rpc_api_pipe_got_pdu)  rpc_api_pipe: host <> returned 160 bytes.
 ../librpc/ndr/ndr.c:471(ndr_print_function_debug)       lsa_LookupSids3: struct lsa_LookupSids3
          out: struct lsa_LookupSids3
              domains                  : *
                  domains                  : *
                      domains: struct lsa_RefDomainList
                          count                    : 0x00000001 (1)
                          domains                  : *
                              domains: ARRAY(1)
                                  domains: struct lsa_DomainInfo
                                      name: struct lsa_StringLarge
                                          length                   : 0x000a (10)
                                          size                     : 0x000c (12)
                                          string                   : *
                                              string                   : 'DTEST'
                                      sid                      : *
                                          sid                      : S-1-5-21-4006949566-962402297-1653548521
                          max_size                 : 0x00000020 (32)
              names                    : *
                  names: struct lsa_TransNameArray2
                      count                    : 0x00000001 (1)
                      names                    : *
                          names: ARRAY(1)         <<<<<<<<<<<<<<
                              names: struct lsa_TranslatedName2
                                  sid_type                 : SID_NAME_USER (1)
                                  name: struct lsa_String
                                      length                   : 0x0018 (24)
                                      size                     : 0x0018 (24)
                                      string                   : *
                                          string                   : 'amitk3-dtest'
                                  sid_index                : 0x00000000 (0)
                                  unknown                  : 0x00000000 (0)
              count                    : *
                  count                    : 0x00000001 (1)
              result                   : NT_STATUS_OK
********************************

*********2 way trust************
 ../source3/winbindd/winbindd_dual.c:665(child_process_request)  child_process_request: request fn NDRCMD
 ../source3/winbindd/winbindd_dual_ndr.c:362(winbindd_dual_ndrcmd)  winbindd_dual_ndrcmd: Running command WBINT_LOOKUPSIDS (ATEST)

 ../source3/librpc/rpc/dcerpc_helpers.c:427(dcerpc_check_auth)  Requested Privacy.
../librpc/rpc/dcerpc_util.c:271(dcerpc_pull_auth_trailer)  dcerpc_pull_auth_trailer: auth_pad_length 4
../source3/librpc/rpc/dcerpc_helpers.c:491(dcerpc_check_auth)  GENSEC auth
../source3/rpc_client/cli_pipe.c:525(cli_pipe_validate_current_pdu)  Got pdu len 312, data_len 220
../source3/rpc_client/cli_pipe.c:978(rpc_api_pipe_got_pdu)  rpc_api_pipe: got frag len of 312 at offset 0: NT_STATUS_OK
../source3/rpc_client/cli_pipe.c:1078(rpc_api_pipe_got_pdu)  rpc_api_pipe: host <> returned 220 bytes.
../librpc/ndr/ndr.c:471(ndr_print_function_debug)       lsa_LookupSids3: struct lsa_LookupSids3
          out: struct lsa_LookupSids3
              domains                  : *
                  domains                  : *
                      domains: struct lsa_RefDomainList
                          count                    : 0x00000001 (1)
                          domains                  : *
                              domains: ARRAY(1)
                                  domains: struct lsa_DomainInfo
                                      name: struct lsa_StringLarge
                                          length                   : 0x000a (10)
                                          size                     : 0x000c (12)
                                          string                   : *
                                              string                   : 'DTEST'
                                      sid                      : *
                                          sid                      : S-1-5-21-4006949566-962402297-1653548521
                          max_size                 : 0x00000001 (1)
              names                    : *
                  names: struct lsa_TransNameArray2
                      count                    : 0x00000002 (2)
                      names                    : *
                          names: ARRAY(2)        <<<<<<<<<<<<
                              names: struct lsa_TranslatedName2
                                  sid_type                 : SID_NAME_DOM_GRP (2)
                                  name: struct lsa_String
                                      length                   : 0x0018 (24)
                                      size                     : 0x0018 (24)
                                      string                   : *
                                          string                   : 'group1-dtest'
                                  sid_index                : 0x00000000 (0)
                                  unknown                  : 0x00000002 (2)
                              names: struct lsa_TranslatedName2
                                  sid_type                 : SID_NAME_DOM_GRP (2)
                                  name: struct lsa_String
                                      length                   : 0x001a (26)
                                      size                     : 0x001a (26)
                                      string                   : *
                                          string                   : 'group2-dteset'
                                  sid_index                : 0x00000000 (0)
                                  unknown                  : 0x00000002 (2)
              count                    : *
                  count                    : 0x00000002 (2)
              result                   : NT_STATUS_OK
********************************
Comment 6 Amit Kumar 2019-02-07 06:26:51 UTC
Looks in 1 way trust winbind cannot authenticate using COMP-OBJECT of joined domain.

RHEL   ATEST     --1way-outgoing-->  DTEST

authenticated session setup to <>.dtest.com using ATEST\COMP-OBJECT$ failed with NT_STATUS_LOGON_FAILURE
Failed to prepare SMB connection to <>.dtest.com: NT_STATUS_CONNECTION_RESET
connection_ok: Connection to (null) for domain ATEST is not connected