sshd+gssapi+winbind authentication succeed but group membership is not retrieved. AD setup is MS ESAE ad design (one admin forest,on production forest, one way trust from production forest to admin forest, selective authentication etc etc ...) production forest and admin forest are using rid backend and template shell and homedir (this setup enables the of one way forest trust working without to have to connect/bind to it) groups are following ESAE model (admin global group included in a production local group) when doing ssh+sspi from putty on an admin domain workstation to sshd on a ressource server authentication it succeed but group membership is limited to "domain users"(513) group and auto private group(gid=uid). if i fill the winbind cache with a ssh password interactive login, next ssh with gss/sspi will almost correctly show group membership (picked from cache). after investigate i think there is no glue between ssh<->PAM(account/session)<->pam_Winbind<->winbindd to make winbind parse the PAC from the ticket (TGS) received by sshd and validate/update the cache to reflect user group membership. if i allow the computer to delegate kerberos tickets, ssh will storecred a full TGT ticket in ccache of the user from the trusted forest KDC but windbind will not return group membership neither (even if user env has a valid tgt that enable to directly contact the trusted admin forest).
without verbose log files from client and/or server side there is not a lot anyone can say here I'm afraid. I think you need to dig deeper on your own here first. But as you also write "if i fill the winbind cache with a ssh password interactive login, next ssh with gss/sspi will almost correctly show group membership (picked from cache)" it seems to basically work.
Yes, I am able to reproduce the issue. Forest Trust: 1-Way/Non-Transitive/Outgoing/External. # id amitk3-dtest@dtest.com uid=16777224(DTEST\amitk3-dtest) gid=16777282(DTEST\domain users) groups=16777282(DTEST\domain users) //group1-dtest, group2-dtest are missing. Forest Trust: 2-way/Transitive/Incoming/Outgoing # id amitk3-dtest@dtest.com uid=16777224(DTEST\amitk3-dtest) gid=16777282(DTEST\domain users) groups=16777282(DTEST\domain users),16777283(DTEST\group1-dtest),16777284(DTEST\group2-dtest)
For 2-way/transitive Trusted domain: struct lsa_TransNameArray is filled. names : * names: struct lsa_TransNameArray count : 0x00000002 (2) names : * names: ARRAY(2) names: struct lsa_TranslatedName sid_type : SID_NAME_DOM_GRP (2) name: struct lsa_String length : 0x0018 (24) size : 0x0018 (24) string : * string : 'group1-dtest' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_DOM_GRP (2) name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'group2-dtest' sid_index : 0x00000000 (0) result : NT_STATUS_OK But for 1-way/non-transitive/outgoing trust. struct lsa_TransNameArray is not filled by winbind.
Cannot find much in logs. *********1 way trust************ {Forest Root} outgoing/external/Non-Transitive {Forest Root} atest.com ------1way trust----------------> dest.com 1. trusted domain goes offline. 2. trustdom_list_done() finds SID of trusted domain different wrt 2-way trust ======log.winbind======== ../source3/winbindd/winbindd_util.c:472(trustdom_list_done) trustdom_list_done: parsing response line 'DTEST\dtest.com\S-1-5-21-4006949566-962402297-1653548521\2\2\4 ATEST\atest.com\S-1-5-21-219570999-4236135608-484490645\29\2\0' ../source3/winbindd/winbindd_util.c:304(add_trusted_domain) add_trusted_domain: Added domain [DTEST] [dtest.com] [S-1-5-21-4006949566-962402297-1653548521] ../source3/winbindd/winbindd_util.c:472(trustdom_list_done) trustdom_list_done: parsing response line 'DTEST\dtest.com\S-1-5-21-4006949566-962402297-1653548521\2\2\4 ATEST\atest.com\S-1-5-21-219570999-4236135608-484490645\29\2\0 ../source3/winbindd/winbindd_util.c:472(trustdom_list_done) trustdom_list_done: parsing response line 'ATEST\atest.com\S-1-5-21-219570999-4236135608-484490645\29\2\0 ../source3/winbindd/winbindd_getpwnam.c:58(winbindd_getpwnam_send) getpwnam amitk3-dtest@dtest.com ./source3/winbindd/winbindd_getgroups.c:62(winbindd_getgroups_send) getgroups DTEST\amitk3-dtest ../source3/lib/messages.c:400(messaging_recv_cb) messaging_recv_cb: Received message 0x40c len 6 (num_fds:0) from 9551 ../source3/winbindd/winbindd_cm.c:368(winbind_msg_domain_offline) Domain DTEST is marked as offline now. ../source3/winbindd/winbindd.c:825(winbind_client_response_written) winbind_client_response_written[9575:GETGROUPS]: delivered response to client ../source3/winbindd/winbindd.c:930(winbind_client_request_read) closing socket 31, client exited ../source4/lib/messaging/messaging.c:527(imessaging_dgm_recv) imessaging_dgm_recv: dst 9530 matches my id: 9530, type=0x40c ../source3/lib/messages.c:400(messaging_recv_cb) messaging_recv_cb: Received message 0x40c len 6 (num_fds:0) from 9551 ../source3/winbindd/winbindd_cm.c:368(winbind_msg_domain_offline) Domain DTEST is marked as offline now. ../source3/winbindd/winbindd.c:695(process_request) process_request: Handling async request 9548:PAM_AUTH_CRAP ../source3/winbindd/winbindd_pam_auth_crap.c:113(winbindd_pam_auth_crap_send) [ 9548]: pam auth crap domain: [] user: guest ========================= ******************************** *********2 way trust************ {Forest Root} Transitive {Forest Root} atest.com ------2way trust----------------> dest.com =======log.winbind======= ../source3/winbindd/winbindd_util.c:472(trustdom_list_done) trustdom_list_done: parsing response line 'DTEST\dtest.com\S-1-5-21-4006949566-962402297-1653548521\34\2\8 ATEST\atest.com\S-1-5-21-219570999-4236135608-484490645\29\2\0' ../source3/winbindd/winbindd_util.c:304(add_trusted_domain) add_trusted_domain: Added domain [DTEST] [dtest.com] [S-1-5-21-4006949566-962402297-1653548521] ../source3/winbindd/winbindd_util.c:472(trustdom_list_done) trustdom_list_done: parsing response line 'DTEST\dtest.com\S-1-5-21-4006949566-962402297-1653548521\34\2\8 ATEST\atest.com\S-1-5-21-219570999-4236135608-484490645\29\2\0' ../source3/winbindd/winbindd_util.c:472(trustdom_list_done) trustdom_list_done: parsing response line 'ATEST\atest.com\S-1-5-21-219570999-4236135608-484490645\29\2\0' ../source3/winbindd/winbindd_util.c:739(rescan_forest_trusts) Following trust path for domain DTEST (dtest.com) //Not called for 1-way trust ../source3/winbindd/winbindd_getpwnam.c:58(winbindd_getpwnam_send) getpwnam amitk3-dtest@dtest.com [2019/02/04 01:37:46.944090, 10, pid=9358, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:307(check_domain_online_handler) check_domain_online_handler: called for domain ATEST (online = True) //Not called in 1 way trust ./source3/winbindd/winbindd_getgroups.c:62(winbindd_getgroups_send) getgroups DTEST\amitk3-dtest .. ../source3/winbindd/winbindd.c:825(winbind_client_response_written) winbind_client_response_written[9378:GETGROUPS]: ../source3/winbindd/winbindd.c:930(winbind_client_request_read) closing socket 31, client exited ../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_LookupUserGroups: struct wbint_LookupUserGroups out: struct wbint_LookupUserGroups sids : * sids: struct wbint_SidArray num_sids : 0x00000003 (3) sids: ARRAY(3) sids : S-1-5-21-4006949566-962402297-1653548521-513 sids : S-1-5-21-4006949566-962402297-1653548521-1109 sids : S-1-5-21-4006949566-962402297-1653548521-1110 ========================= ********************************
log.wb-ATEST *********1 way trust************ -> sid lookup structure(struct lsa_TranslatedName2) is not filled for sid_type "SID_NAME_DOM_GRP" ../source3/winbindd/winbindd_dual.c:665(child_process_request) child_process_request: request fn AUTH_CRAP ../source3/winbindd/winbindd_pam.c:2426(winbindd_dual_pam_auth_crap) [ 9530]: pam auth crap domain: user: guest ../librpc/ndr/ndr.c:471(ndr_print_function_debug) netr_LogonSamLogonEx: struct netr_LogonSamLogonEx ../source3/librpc/rpc/dcerpc_helpers.c:427(dcerpc_check_auth) Requested Privacy. ../librpc/rpc/dcerpc_util.c:271(dcerpc_pull_auth_trailer) dcerpc_pull_auth_trailer: auth_pad_length 0 ../source3/librpc/rpc/dcerpc_helpers.c:491(dcerpc_check_auth) GENSEC auth ../source3/rpc_client/cli_pipe.c:525(cli_pipe_validate_current_pdu) Got pdu len 248, data_len 160 ../source3/rpc_client/cli_pipe.c:978(rpc_api_pipe_got_pdu) rpc_api_pipe: got frag len of 248 at offset 0: NT_STATUS_OK ../source3/rpc_client/cli_pipe.c:1078(rpc_api_pipe_got_pdu) rpc_api_pipe: host <> returned 160 bytes. ../librpc/ndr/ndr.c:471(ndr_print_function_debug) lsa_LookupSids3: struct lsa_LookupSids3 out: struct lsa_LookupSids3 domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000a (10) size : 0x000c (12) string : * string : 'DTEST' sid : * sid : S-1-5-21-4006949566-962402297-1653548521 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray2 count : 0x00000001 (1) names : * names: ARRAY(1) <<<<<<<<<<<<<< names: struct lsa_TranslatedName2 sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x0018 (24) size : 0x0018 (24) string : * string : 'amitk3-dtest' sid_index : 0x00000000 (0) unknown : 0x00000000 (0) count : * count : 0x00000001 (1) result : NT_STATUS_OK ******************************** *********2 way trust************ ../source3/winbindd/winbindd_dual.c:665(child_process_request) child_process_request: request fn NDRCMD ../source3/winbindd/winbindd_dual_ndr.c:362(winbindd_dual_ndrcmd) winbindd_dual_ndrcmd: Running command WBINT_LOOKUPSIDS (ATEST) ../source3/librpc/rpc/dcerpc_helpers.c:427(dcerpc_check_auth) Requested Privacy. ../librpc/rpc/dcerpc_util.c:271(dcerpc_pull_auth_trailer) dcerpc_pull_auth_trailer: auth_pad_length 4 ../source3/librpc/rpc/dcerpc_helpers.c:491(dcerpc_check_auth) GENSEC auth ../source3/rpc_client/cli_pipe.c:525(cli_pipe_validate_current_pdu) Got pdu len 312, data_len 220 ../source3/rpc_client/cli_pipe.c:978(rpc_api_pipe_got_pdu) rpc_api_pipe: got frag len of 312 at offset 0: NT_STATUS_OK ../source3/rpc_client/cli_pipe.c:1078(rpc_api_pipe_got_pdu) rpc_api_pipe: host <> returned 220 bytes. ../librpc/ndr/ndr.c:471(ndr_print_function_debug) lsa_LookupSids3: struct lsa_LookupSids3 out: struct lsa_LookupSids3 domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000a (10) size : 0x000c (12) string : * string : 'DTEST' sid : * sid : S-1-5-21-4006949566-962402297-1653548521 max_size : 0x00000001 (1) names : * names: struct lsa_TransNameArray2 count : 0x00000002 (2) names : * names: ARRAY(2) <<<<<<<<<<<< names: struct lsa_TranslatedName2 sid_type : SID_NAME_DOM_GRP (2) name: struct lsa_String length : 0x0018 (24) size : 0x0018 (24) string : * string : 'group1-dtest' sid_index : 0x00000000 (0) unknown : 0x00000002 (2) names: struct lsa_TranslatedName2 sid_type : SID_NAME_DOM_GRP (2) name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'group2-dteset' sid_index : 0x00000000 (0) unknown : 0x00000002 (2) count : * count : 0x00000002 (2) result : NT_STATUS_OK ********************************
Looks in 1 way trust winbind cannot authenticate using COMP-OBJECT of joined domain. RHEL ATEST --1way-outgoing--> DTEST authenticated session setup to <>.dtest.com using ATEST\COMP-OBJECT$ failed with NT_STATUS_LOGON_FAILURE Failed to prepare SMB connection to <>.dtest.com: NT_STATUS_CONNECTION_RESET connection_ok: Connection to (null) for domain ATEST is not connected