Bug 13723 - NT4 DC tries to use the local machine account to contact trusted domains
NT4 DC tries to use the local machine account to contact trusted domains
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.9.0
All All
: P5 normal
: ---
Assigned To: Stefan Metzmacher
Samba QA Contact
:
Depends on: 13722
Blocks:
  Show dependency treegraph
 
Reported: 2018-12-19 08:57 UTC by Stefan Metzmacher
Modified: 2018-12-19 08:58 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2018-12-19 08:57:10 UTC
When winbindd (as NT4 PDC/BDC) tries to connect trusted domains via
SMB, but it's not possible to use the trust account for SMB connections.
So we try to use the local machine account. But NT4 PDC/BDC
are not self joined, so we don't have a local machine account.
Winbindd falls back to anonymous credentials, but then fails
internally because we require signing, which is not possible
with anonymous credentials.

I think the fix should be using only anonymous SMB connections
and require schannel authentication, which means SAMR is not
possible anymore.