Created attachment 17245 [details] Diagram We’ve encountered the following behavior which we believe is a bug in WINBIND. We have a SERVERS AD forest and a USERS AD forest with one way trust between them. When a user belonging to the USERS domain authenticates on a server belonging to the SERVER domain we see Kerberos NW traffic going to any of the 4 Domain Controllers of the USERS domain. We have AD Sites and services setup for USER and SERVER domain and we expect traffic to reach only UserDomainDC01 and UserDomainDC02. Attached is a simplified diagram. The arrows represent auth flow. The arrow in red is the unwanted behavior that we want to avoid. Samba version: 4.13.17 Server: Ubuntu 20.04 Configs: ________________________________________ root@SERVER:~# cat /etc/samba/smb.conf [global] server role = member server server string = %h server (Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes domain master = no local master = no preferred master = no os level = 0 domain logons = no load printers = no show add printer wizard = no printcap name = /dev/null disable sserverpoolss = yes security = ads workgroup = SERVERDOMAIN realm = SERVERDOMAIN.LOCAL template shell = /bin/bash dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab template homedir = /home/%U@%D idmap config * : range = 30000-39999 idmap config * : backend = tdb idmap config SERVERDOMAIN:backend = rid idmap config SERVERDOMAIN:range = 20000-29999 idmap config USERDOMAIN:backend = rid idmap config USERDOMAIN:range = 10000-19999 winbind use default domain = no winbind refresh tickets = yes winbind offline logon = no winbind enum groups = no winbind enum users = no allow trusted domains = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes root@SERVER:~# cat /etc/krb5.conf [libdefaults] default_realm = SERVERDOMAIN.LOCAL kdc_timesync = 1 dns_lookup_kdc = false rdns = false ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] SERVERDOMAIN.LOCAL = { kdc = ServerDomainDCP01.Serverdomain.local kdc = ServerDomainDCP02.Serverdomain.local admin_server = ServerDomainDCP01.Serverdomain.local ServerDomainDCP02.Serverdomain.local default_domain = serverdomain.local } USERDOMAIN.LOCAL = { kdc = UserDomainDCP01.Userdomain.local kdc = UserDomainDCP02.Userdomain.local admin_server = UserDomainDCP01.Userdomain.local UserDomainDCP02.Userdomain.local default_domain = userdomain.local } [domain_realm] .serverdomain.local = SERVERDOMAIN.LOCAL serverdomain.local = SERVERDOMAIN.LOCAL .userdomain.local = USERDOMAIN.LOCAL userdomain.local = USERDOMAIN.LOCAL [login] krb4_convert = true krb4_get_tickets = false [capaths] SERVERDOMAIN.LOCAL = { USERDOMAIN.LOCAL = . } USERDOMAIN.LOCAL = { SERVERDOMAIN.LOCAL = . } root@SERVER:~# cat /etc/pam.d/common-auth # # Updated by Ansible - 2021-04-01T14:39:24.314935 # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass require_membership_of=slg-tsk-ssh-acs@serverdomain.local # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_cap.so # end of pam-auth-update config auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 ________________________________________ Thank you in advance for considering this. Kind Regards, Ivo
As you hardcode DCs in krb5.conf, have you tried 'create krb5 conf = no' in smb.conf? Otherwise winbindd generates its own krb5.conf. Anyway this is a valid bug, but it is not easy to fix...
I just tried create krb5 conf = no Works brilliantly for us and mitigates our concerns. I'm very grateful for the support!