Bug 305 - Authentication fails for mixed-mode DC w/ transitive trusts
Authentication fails for mixed-mode DC w/ transitive trusts
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.0preX
All NetBSD
: P1 normal
: 3.0.0rc3
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-16 08:28 UTC by Ken Cross
Modified: 2005-11-14 09:29 UTC (History)
1 user (show)

See Also:


Attachments
Always use lp_realm() for our realm. (1.19 KB, patch)
2003-08-29 23:09 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ken Cross 2003-08-16 08:28:53 UTC
If Samba joins a native-mode DC, all transitive trusts work correctly.

If Samba joins a mixed-mode DC, wbinfo --sequence and wbinfo -m work 
correctly, but authentication (wbinfo -a) fails for all domains that are not 
directly connected to the DC, i.e., transitive trusts don't work for 
authentication.
Comment 1 Gerald (Jerry) Carter 2003-08-18 23:03:29 UTC
Interesting to note that if you join an NT4 box to a 
mixed mode AD domain, you don't get all of the domains 
that could be reached by transitive trusts listed in the 
CTRL+ALT+DEL logon window.  Only those of immediate trusts.

If you join a 2k box to the same domain, you get all of the
trusted domains listed in the logon window.

The failure that is causing users from a transitive trusted 
domain not to be able to logon is that the net_sam_logon is 
failing which appears consistent with the NT4 behavior.  

Will have to work on it some more but I'm guessing this is 
coming down to a kerberos issue.  So 'wbinfo -a' will fail be 
definition in this case but win2k clients accessing the Samba box
as a user from a transitive trust domain should work.
Since they don't, this is a confirmed legitimate bug.

Comment 2 Gerald (Jerry) Carter 2003-08-19 08:42:21 UTC
I did look at a trace and the win2k is only send the 
NTLMSSP OID in the SMBsesssetup request.
Comment 3 Gerald (Jerry) Carter 2003-08-19 10:40:08 UTC
Andrew B. has a fix for the problem where we were getting downgraded to
NT4 in AD (operatingSystem and operatingSystemVersion attributes).
That should fix this as well since the 2k clients will now use krb5
logons.  I'll wait to test his patch (in the next day or so)
but I'm pretty sure it will solve this bug as well.
Comment 4 Ken Cross 2003-08-19 19:21:53 UTC
I still plan to do more testing, but looks very good so far.  Brilliant work, 
guys!
Comment 5 Gerald (Jerry) Carter 2003-08-19 19:38:15 UTC
This is fixed with Andrew B's latest checkin.
See the comments about the extra bits needed in the sec_channel
negotiate flags.

Please run as many tests as possible to make sure we have broken winbindd
in some other way.
Comment 6 Ken Cross 2003-08-20 20:04:04 UTC
Something still ain't right.  With this configuration:

  SUPTRA (mixed-mode)
    +-- CAMPBELLS (mixed-mode)
    +-- KAMA (mixed-mode)
          +-- TANTRA (native-mode)

If I join SUPTRA, "wbinfo -a" works for TANTRA, but it cannot authenticate 
user connections to TANTRA (DC name is "JAYA").  Level 10 logs:

[2003/08/20 22:52:01, 10] nsswitch/winbindd_util.c:add_trusted_domains(187)
  Found domain TANTRA
[2003/08/20 22:52:01, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(106)
  IPC$ connections done anonymously
[2003/08/20 22:52:01, 5] nsswitch/winbindd_cm.c:cm_open_connection(177)
  connecting to JAYA from SA1501 with kerberos principal [SA1501
$@SUPTRA.NSSOLUTIONS.COM]
[2003/08/20 22:52:01, 2] libsmb/cliconnect.c:cli_session_setup_spnego(646)
  Doing spnego session setup (blob length=128)
[2003/08/20 22:52:01, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(496)
  Doing kerberos session setup
[2003/08/20 22:52:01, 3] nsswitch/winbindd_util.c:add_trusted_domain(135)
  add_trusted_domain: tantra.kama.suptra.nssolutions.com is a native mode 
domain
[2003/08/20 22:52:01, 1] nsswitch/winbindd_util.c:add_trusted_domain(142)
  Added domain TANTRA tantra.kama.suptra.nssolutions.com S-0-0
[2003/08/20 22:52:01, 10] nsswitch/winbindd_cache.c:domain_sid(1293)
  domain_sid: [Cached] - doing backend query for info for domain TANTRA
[2003/08/20 22:52:01, 3] nsswitch/winbindd_ads.c:domain_sid(953)
  ads: domain_sid
[2003/08/20 22:52:01, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)
[2003/08/20 22:52:01, 0] libads/kerberos.c:ads_kinit_password(133)
  kerberos_kinit_password HOST/sa1501@TANTRA.KAMA.SUPTRA.NSSOLUTIONS.COM 
failed: Client not found in Kerberos database
[2003/08/20 22:52:01, 1] nsswitch/winbindd_ads.c:ads_cached_connection(70)
  ads_connect for domain TANTRA failed: Operations error


wbinfo --sequence shows TANTRA DISCONNECTED, but wbinfo -a to TANTRA works OK.

Sorry...
Comment 7 Gerald (Jerry) Carter 2003-08-21 08:00:58 UTC
This line in the log file bothers me.  I'm pretty sure this is 
due to Andrew's changes, so i think he'll have to respond

  kerberos_kinit_password HOST/sa1501@TANTRA.KAMA.SUPTRA.NSSOLUTIONS.COM 
  failed: Client not found in Kerberos database

I see the servicePrincopalName attribute for a Samba 3.0 
box joined to an AD domain is in the form

    HOST/SHAGGY
    HOST/shaggy.ad.plainjoe.org
    CIFS/SHAGGY
    CIFS/shaggy.ad.plainjoe.org

Since these are just DirectoryStrings, i can't imagine that they
would be case sensitive.

Could you check the attribute value on your DC using ADSIedit?
Comment 8 Gerald (Jerry) Carter 2003-08-27 13:05:13 UTC
RC2 will ship with this issue unresolved.  We'll put it on 
the plate for RC3 and hope to resolve it by then.
Comment 9 Andrew Bartlett 2003-08-29 23:08:28 UTC
The bug here is that we have code making assumptions about the remote server's
realm.  We should (as per the agreement after CIFS2003) always honer lp_realm(),
not the remote server's realm for the kerberos ticket.

I was writing up code to make this always consistant - brining that back to life
should solve this bug.

Andrew Bartlett
Comment 10 Andrew Bartlett 2003-08-29 23:09:24 UTC
Created attachment 114 [details]
Always use lp_realm() for our realm.

In the meantime, this compleatly untested patch should solve it.
Comment 11 Ken Cross 2003-08-30 06:08:43 UTC
Andrew's patch does indeed seem to fix the problem.  Well done!  Here's a 
level 10 log comparable to my earlier one:

[2003/08/30 09:03:35, 10] nsswitch/winbindd_util.c:add_trusted_domains(220)
  Found domain TANTRA
[2003/08/30 09:03:35, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(106)
  IPC$ connections done anonymously
[2003/08/30 09:03:35, 5] nsswitch/winbindd_cm.c:cm_open_connection(177)
  connecting to JAYA from SA1501 with kerberos principal [SA1501
$@SUPTRA.NSSOLUTIONS.COM]
[2003/08/30 09:03:35, 2] libsmb/cliconnect.c:cli_session_setup_spnego(646)
  Doing spnego session setup (blob length=128)
[2003/08/30 09:03:35, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(496)
  Doing kerberos session setup
[2003/08/30 09:03:35, 3] nsswitch/winbindd_util.c:add_trusted_domain(135)
  add_trusted_domain: tantra.kama.suptra.nssolutions.com is a native mode 
domain
[2003/08/30 09:03:35, 1] nsswitch/winbindd_util.c:add_trusted_domain(142)
  Added domain TANTRA tantra.kama.suptra.nssolutions.com S-0-0
[2003/08/30 09:03:35, 10] nsswitch/winbindd_cache.c:domain_sid(1293)
  domain_sid: [Cached] - doing backend query for info for domain TANTRA
[2003/08/30 09:03:35, 3] nsswitch/winbindd_ads.c:domain_sid(971)
  ads: domain_sid
[2003/08/30 09:03:35, 1] nsswitch/winbindd_util.c:add_trusted_domains(201)
  scanning trusted domain list

Comment 12 Gerald (Jerry) Carter 2003-09-04 12:43:26 UTC
I'm checking this fix in.  Will need lots of testing in 
all cases for trust relationships.  Thanks andrew.
Comment 13 Gerald (Jerry) Carter 2005-02-07 09:06:23 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 14 Gerald (Jerry) Carter 2005-08-24 10:19:00 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 15 Gerald (Jerry) Carter 2005-11-14 09:29:33 UTC
database cleanup