13723 – NT4 DC tries to use the local machine account to contact trusted domains

Bug 13723 - NT4 DC tries to use the local machine account to contact trusted domains

Summary: NT4 DC tries to use the local machine account to contact trusted domains

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.9.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Stefan Metzmacher
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:	13722
Blocks:
	Show dependency tree / graph

Reported:	2018-12-19 08:57 UTC by Stefan Metzmacher
Modified:	2018-12-19 08:58 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2018-12-19 08:57:10 UTC

When winbindd (as NT4 PDC/BDC) tries to connect trusted domains via
SMB, but it's not possible to use the trust account for SMB connections.
So we try to use the local machine account. But NT4 PDC/BDC
are not self joined, so we don't have a local machine account.
Winbindd falls back to anonymous credentials, but then fails
internally because we require signing, which is not possible
with anonymous credentials.

I think the fix should be using only anonymous SMB connections
and require schannel authentication, which means SAMR is not
possible anymore.