We have a primary domain ZADARA2, and trusted domain CHILD in the ignore list: [global] allow trusted domains = true guest ok = No security = ADS realm = zadara2.lab workgroup = ZADARA2 idmap config zadara2 : backend = rid idmap config zadara2 : range = 5000000-15000000 idmap config * : backend = tdb idmap config * : range = 1000001-2000000 winbind offline logon = yes winbind scan trusted domains = Yes winbind use default domain = No winbind:ignore domains = CHILD TREE ZADARA3 As expected wbinfo -m returns only primary domain: # wbinfo -m BUILTIN VSA-00000004 ZADARA2 However user dimachild@CHILD now may successfully login: C:\Users\dimachild>net use \\10.2.4.28\smb1 The command completed successfully. Back in samba 4.5 it worked fine, i.e. login failed. I guess this was broken in samba 4.8 where "The dependency to global list of trusted domains within the winbindd processes has been reduced a lot.". If this is now "by design", probably need at least fix documentation that says "Allows one to enter a list of trusted domains winbind should ignore (untrust)."
Created attachment 16400 [details] Patch for 4.13 and 4.14 cherry-picked from master
Created attachment 16401 [details] Patch for 4.12 backported from master The first patch that modifies selftest infrastructure didn't apply due to heavy changes in selftest provision between 4.12 and 4.13. I opted to simply remove the tests from the patches to avoid backporting the DNS domainname changes.
Re-assigning to Karolin for inclusion in 4.14.next, 4.13.next, 4.12.next.
(In reply to Jeremy Allison from comment #3) Pushed to autobuild-v4-{14,13,12}-test.
This bug was referenced in samba master: e1fc84138ca118c4187d87b7be4a7e6dd771dc4f 81edc65e79aba121db800ec53aadd766e61a0001 0c4497f8c66d0ea7c68d42c19e859932ebc3e2ac 072ef48001710ed8326c83295f2d3cc301d27cfe 32197d21dabecaee9bc1d6cd557578892220fe4c 894caca79476d25a0268d89b2ad8a5758b7e31f3 4cefdf03fec91cdcf700922b1a5ceca02407e259 c17bc9c6115e4e92132f3cb912547eac78227938 4bc17600bc50fbc0e54d9d019d8db67001fc3eef 88e92faace7ec17810903166fa3433aa4842a4e3 da474ddd13d84f07f5da81c843e651844f33a003 df5fe2d835169161d3930acf1e9c750dd2bc64b6
This bug was referenced in samba v4-12-test: aaa8dac1550519161a5e8a83ef77a185e0487531 32c2b3cf6106755099b9cec3eecc611a8bf8214e 6b9669863b81075b494f03bb146b7fea3df4e7de f3c47cdc1d3fe5a03879bec7f2892a393e3b0211 56d9705ca7618856e735447c4a54b256fdbbf5b5 2a73dfcf27a7407f932112fd978fc84d47d29682 cf410814e252886b8bce28289654a237616d8a52 3505998d0a76011f21b8238e1beb9369f709c11d 7362b5b31cd75ab1f8cdd84fb0a800376d097e2c 8c846741a4514fc01513ddd3f83afc61f186806a
This bug was referenced in samba v4-14-test: 835fd283fec6965ce17f7d2c538312be474903c6 9e797518fb53e66e52209b27dab0851f8c9b002b 4df20674da1942425cb64fac25bf876b2778d164 115c987aa58a2cdd5430dc0809c1a8ee94e3261e bee8a1cb9e9ff6ace3894aef26a37370fae240a1 4f69adab43c8f8844a5060e040dcf6e5f79c8d8b 56076c98dbbef59aba182ab2c57aeca989cc68b3 ccc4efd52112c8a0c26748faab178ac7c26fda9d 647d1ca5e79786053c250e1e2c84f0e36a8242a5 9b717968bd75d04800cbd39d680962d6ddf9c01f 77f07ddb8ee1e5134bc873262165bf693dd01aaf 5041731ca022c1f4edd11d8abd0642072e3088f9
This bug was referenced in samba v4-13-test: 7003d050b0c27498b791113a54b6241c174b7641 19f39e67942968c5a2c0e99179c938b99ba2250e 3b5fa17d9bd1b256dcb563f0b066938a95b7eccf 27dc8f4e90b4222b88cabf0fe7b85b82a04f3504 2e2e854f04e26f02ccb1ab3d63d71457fec3d659 86a96954c1f4efb9ad546afd276701180970b0e1 c983012811ee5e77cdb5a8deabd27278e867ec42 7878dec1da0c314a20b7d1ff98bd1576a861f0c4 888e1d67229bee948c7ef17bdbde517db211e8a6 f0225b0adcbd54bd81684ba7799a4a12c41dc1e7 b236cbcf9d2db5f7f18989a1efa1f5644dc68a04 2c0987d65646aa41d0bc81f9e1c06f2ad9b5b485
Closing out bug report. Thanks!
This bug was referenced in samba v4-14-stable (Release samba-4.14.0rc2): 835fd283fec6965ce17f7d2c538312be474903c6 9e797518fb53e66e52209b27dab0851f8c9b002b 4df20674da1942425cb64fac25bf876b2778d164 115c987aa58a2cdd5430dc0809c1a8ee94e3261e bee8a1cb9e9ff6ace3894aef26a37370fae240a1 4f69adab43c8f8844a5060e040dcf6e5f79c8d8b 56076c98dbbef59aba182ab2c57aeca989cc68b3 ccc4efd52112c8a0c26748faab178ac7c26fda9d 647d1ca5e79786053c250e1e2c84f0e36a8242a5 9b717968bd75d04800cbd39d680962d6ddf9c01f 77f07ddb8ee1e5134bc873262165bf693dd01aaf 5041731ca022c1f4edd11d8abd0642072e3088f9
This bug was referenced in samba v4-13-stable (Release samba-4.13.5): 7003d050b0c27498b791113a54b6241c174b7641 19f39e67942968c5a2c0e99179c938b99ba2250e 3b5fa17d9bd1b256dcb563f0b066938a95b7eccf 27dc8f4e90b4222b88cabf0fe7b85b82a04f3504 2e2e854f04e26f02ccb1ab3d63d71457fec3d659 86a96954c1f4efb9ad546afd276701180970b0e1 c983012811ee5e77cdb5a8deabd27278e867ec42 7878dec1da0c314a20b7d1ff98bd1576a861f0c4 888e1d67229bee948c7ef17bdbde517db211e8a6 f0225b0adcbd54bd81684ba7799a4a12c41dc1e7 b236cbcf9d2db5f7f18989a1efa1f5644dc68a04 2c0987d65646aa41d0bc81f9e1c06f2ad9b5b485
This bug was referenced in samba v4-12-stable (Release samba-4.12.12): aaa8dac1550519161a5e8a83ef77a185e0487531 32c2b3cf6106755099b9cec3eecc611a8bf8214e 6b9669863b81075b494f03bb146b7fea3df4e7de f3c47cdc1d3fe5a03879bec7f2892a393e3b0211 56d9705ca7618856e735447c4a54b256fdbbf5b5 2a73dfcf27a7407f932112fd978fc84d47d29682 cf410814e252886b8bce28289654a237616d8a52 3505998d0a76011f21b8238e1beb9369f709c11d 7362b5b31cd75ab1f8cdd84fb0a800376d097e2c 8c846741a4514fc01513ddd3f83afc61f186806a