Bug 15036 - Trusted Domain AD Sites support
Summary: Trusted Domain AD Sites support
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.13.17
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2022-03-25 11:15 UTC by Ivaylo Tsokov
Modified: 2022-09-06 08:35 UTC (History)
2 users (show)

See Also:

Diagram (330.63 KB, image/jpeg)
2022-03-25 11:15 UTC, Ivaylo Tsokov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ivaylo Tsokov 2022-03-25 11:15:03 UTC
Created attachment 17245 [details]

We’ve encountered the following behavior which we believe is a bug in WINBIND.

We have a SERVERS AD forest and a USERS AD forest with one way trust between them.
When a user belonging to the USERS domain authenticates on a server belonging to the SERVER domain we see Kerberos NW traffic going to any of the 4 Domain Controllers of the USERS domain.
We have AD Sites and services setup for USER and SERVER domain and we expect traffic to reach only UserDomainDC01 and UserDomainDC02. Attached is a simplified diagram.
The arrows represent auth flow. The arrow in red is the unwanted behavior that we want to avoid.


Samba version: 4.13.17
Server: Ubuntu 20.04


root@SERVER:~# cat /etc/samba/smb.conf
server role = member server
server string = %h server (Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d

passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes

domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable sserverpoolss = yes

security = ads
workgroup = SERVERDOMAIN
template shell = /bin/bash
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
template homedir = /home/%U@%D
idmap config * : range = 30000-39999
idmap config * : backend = tdb
idmap config SERVERDOMAIN:backend = rid
idmap config SERVERDOMAIN:range = 20000-29999
idmap config USERDOMAIN:backend = rid
idmap config USERDOMAIN:range = 10000-19999
winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = no
winbind enum groups = no
winbind enum users = no
allow trusted domains = yes

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

root@SERVER:~# cat /etc/krb5.conf
        default_realm = SERVERDOMAIN.LOCAL
        kdc_timesync = 1
        dns_lookup_kdc = false
        rdns = false
        ccache_type = 4
        forwardable = true
        proxiable = true
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                plain = {
                        something = something-else
        fcc-mit-ticketflags = true
                kdc = ServerDomainDCP01.Serverdomain.local
                kdc = ServerDomainDCP02.Serverdomain.local
                admin_server = ServerDomainDCP01.Serverdomain.local ServerDomainDCP02.Serverdomain.local
                default_domain = serverdomain.local
                kdc = UserDomainDCP01.Userdomain.local
                kdc = UserDomainDCP02.Userdomain.local
                admin_server = UserDomainDCP01.Userdomain.local UserDomainDCP02.Userdomain.local
                default_domain = userdomain.local
        .serverdomain.local = SERVERDOMAIN.LOCAL
        serverdomain.local = SERVERDOMAIN.LOCAL
        .userdomain.local = USERDOMAIN.LOCAL
        userdomain.local = USERDOMAIN.LOCAL
        krb4_convert = true
        krb4_get_tickets = false
                USERDOMAIN.LOCAL = .
                SERVERDOMAIN.LOCAL = .

root@SERVER:~# cat /etc/pam.d/common-auth
# Updated by Ansible - 2021-04-01T14:39:24.314935
# /etc/pam.d/common-auth - authentication settings common to all services
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth       [success=2 default=ignore] pam_unix.so nullok_secure
auth       [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass require_membership_of=slg-tsk-ssh-acs@serverdomain.local
# here's the fallback if no module succeeds
auth       requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth       required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth       optional pam_cap.so
# end of pam-auth-update config
auth       required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900


Thank you in advance for considering this.

Kind Regards,
Comment 1 Stefan Metzmacher 2022-03-25 14:34:04 UTC
As you hardcode DCs in krb5.conf, have you tried 'create krb5 conf = no'
in smb.conf? Otherwise winbindd generates its own krb5.conf.

Anyway this is a valid bug, but it is not easy to fix...
Comment 2 Ivaylo Tsokov 2022-03-25 14:50:07 UTC
I just tried create krb5 conf = no
Works brilliantly for us and mitigates our concerns.
I'm very grateful for the support!