Created attachment 17245 [details]
Diagram

We’ve encountered the following behavior which we believe is a bug in WINBIND.

We have a SERVERS AD forest and a USERS AD forest with one way trust between them.
When a user belonging to the USERS domain authenticates on a server belonging to the SERVER domain we see Kerberos NW traffic going to any of the 4 Domain Controllers of the USERS domain.
We have AD Sites and services setup for USER and SERVER domain and we expect traffic to reach only UserDomainDC01 and UserDomainDC02. Attached is a simplified diagram.
The arrows represent auth flow. The arrow in red is the unwanted behavior that we want to avoid.

 


Samba version: 4.13.17
Server: Ubuntu 20.04

Configs:

________________________________________
root@SERVER:~# cat /etc/samba/smb.conf
[global]
server role = member server
server string = %h server (Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d

passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes

domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable sserverpoolss = yes

security = ads
workgroup = SERVERDOMAIN
realm = SERVERDOMAIN.LOCAL
template shell = /bin/bash
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
template homedir = /home/%U@%D
idmap config * : range = 30000-39999
idmap config * : backend = tdb
idmap config SERVERDOMAIN:backend = rid
idmap config SERVERDOMAIN:range = 20000-29999
idmap config USERDOMAIN:backend = rid
idmap config USERDOMAIN:range = 10000-19999
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = no
winbind enum groups = no
winbind enum users = no
allow trusted domains = yes

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes



root@SERVER:~# cat /etc/krb5.conf
[libdefaults]
        default_realm = SERVERDOMAIN.LOCAL
        kdc_timesync = 1
        dns_lookup_kdc = false
        rdns = false
        ccache_type = 4
        forwardable = true
        proxiable = true
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true
[realms]
        SERVERDOMAIN.LOCAL = {
                kdc = ServerDomainDCP01.Serverdomain.local
                kdc = ServerDomainDCP02.Serverdomain.local
                admin_server = ServerDomainDCP01.Serverdomain.local ServerDomainDCP02.Serverdomain.local
                default_domain = serverdomain.local
        }
        USERDOMAIN.LOCAL = {
                kdc = UserDomainDCP01.Userdomain.local
                kdc = UserDomainDCP02.Userdomain.local
                admin_server = UserDomainDCP01.Userdomain.local UserDomainDCP02.Userdomain.local
                default_domain = userdomain.local
        }
[domain_realm]
        .serverdomain.local = SERVERDOMAIN.LOCAL
        serverdomain.local = SERVERDOMAIN.LOCAL
        .userdomain.local = USERDOMAIN.LOCAL
        userdomain.local = USERDOMAIN.LOCAL
[login]
        krb4_convert = true
        krb4_get_tickets = false
[capaths]
        SERVERDOMAIN.LOCAL = {
                USERDOMAIN.LOCAL = .
       }
        USERDOMAIN.LOCAL = {
                SERVERDOMAIN.LOCAL = .
        }



root@SERVER:~# cat /etc/pam.d/common-auth
#
# Updated by Ansible - 2021-04-01T14:39:24.314935
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth       [success=2 default=ignore] pam_unix.so nullok_secure
auth       [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass require_membership_of=slg-tsk-ssh-acs@serverdomain.local
# here's the fallback if no module succeeds
auth       requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth       required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth       optional pam_cap.so
# end of pam-auth-update config
auth       required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900

________________________________________


Thank you in advance for considering this.


Kind Regards,
Ivo