Bug 3398 - interdomain trust relationship failed after update from 3.0.20b to 3.0.21a
Summary: interdomain trust relationship failed after update from 3.0.20b to 3.0.21a
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.21c
Hardware: x86 Windows 2000
: P1 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-12 04:53 UTC by Sergiy Tsymbal
Modified: 2007-04-14 17:45 UTC (History)
1 user (show)

See Also:

Attachments
config file (1.91 KB, text/plain)
2006-01-12 05:51 UTC, Sergiy Tsymbal 		no flags Details
log files from one side of two way trust. (824.27 KB, application/octet-stream)
2006-01-14 07:11 UTC, William Jojo 		no flags Details
log files from other side of two way trust. (747.74 KB, application/octet-stream)
2006-01-14 07:11 UTC, William Jojo 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sergiy Tsymbal 2006-01-12 04:53:37 UTC 
I have samba 3.0.20b with ldapsam. Two way trust. After update to 3.0.21a trust relationship failed. Upon attempt to check trusts from Windows 2000 Server (SP4) samba log for the server gives (ISMA-ACNT is trusted domain):

[2006/01/12 13:13:38, 0] libsmb/credentials.c:creds_server_check(159)
  creds_server_check: credentials check failed.
[2006/01/12 13:13:38, 0] rpc_server/srv_netlog_nt.c:_net_sam_logon(665)
  _net_sam_logon: creds_server_step failed. Rejecting auth request from client ISMA-ACNT-SRV machine account ISMA-ACNT$
[2006/01/12 13:13:38, 0] libsmb/credentials.c:creds_server_check(159)
  creds_server_check: credentials check failed.
[2006/01/12 13:13:38, 0] rpc_server/srv_netlog_nt.c:_net_sam_logon(665)
  _net_sam_logon: creds_server_step failed. Rejecting auth request from client ISMA-ACNT-SRV machine account ISMA-ACNT$
[2006/01/12 13:13:38, 0] libsmb/credentials.c:creds_server_check(159)
  creds_server_check: credentials check failed.
[2006/01/12 13:13:38, 0] rpc_server/srv_netlog_nt.c:_net_sam_logon(665)
  _net_sam_logon: creds_server_step failed. Rejecting auth request from client ISMA-ACNT-SRV machine account ISMA-ACNT$
[2006/01/12 13:13:38, 0] libsmb/credentials.c:creds_server_check(159)
  creds_server_check: credentials check failed.
[2006/01/12 13:13:38, 0] rpc_server/srv_netlog_nt.c:_net_sam_logon(665)
  _net_sam_logon: creds_server_step failed. Rejecting auth request from client ISMA-ACNT-SRV machine account ISMA-ACNT$
[2006/01/12 13:14:04, 0] libsmb/credentials.c:creds_server_check(159)
  creds_server_check: credentials check failed.
[2006/01/12 13:14:04, 0] rpc_server/srv_netlog_nt.c:_net_sam_logon(665)
  _net_sam_logon: creds_server_step failed. Rejecting auth request from client ISMA-ACNT-SRV machine account ISMA-ACNT$

Even worse, after I rollback to 3.0.20b trust relations check passed, but I still can not connect to shares on samba domain server from trusted Windows 2000 domain.
Share has following permissions:
valid users = @samba_domain_group, ISMA-ACNT\user

Attempt to map the samba share from ISMA-ACNT domain machine with ISMA-ACNT\user valid credentials fails with:

[2006/01/12 13:15:37, 0] auth/auth_util.c:make_server_info_info3(1297)
  make_server_info_info3: pdb_init_sam failed!

In case of deliberately wrong password for user ISMA-ACNT\user log shows:

[2006/01/12 13:09:31, 0] auth/auth_domain.c:domain_client_validate(238)
  domain_client_validate: unable to validate password for user acnttest in domain ISMA-ACNT to Domain controller ISMA-ACNT-SRV. Error was NT_STATUS_WRONG_PASSWORD.
Comment 1 Sergiy Tsymbal 2006-01-12 05:51:00 UTC 
Created attachment 1670 [details]
config file

the shorted config file
Comment 2 William Jojo 2006-01-14 05:49:54 UTC 
This is much worse than it looks.

Two 3.0.20b systems with a two way trust (ACDEV <-> DEVEX):

* XP-SP2 joins DEVEX (log on to box shows: local computer, ACDEV and DEVEX)
* User from DEVEX logs in DEXEV ok.
* User from ACDEV logs into DEVEX ok.
* Same user from ACDEV logs into ACDEV ok. Everything is perfect.


Two 3.0.21a systems with a two way trust (ACDEV <->DEVEX):

* XP-SP2 joins DEVEX (log on to box shows: local computer, ACDEV and DEVEX)
* User from DEVEX log in DEVEX ok.
* User from ACDEV attemps login to DEVEX.

At this point the smbds on both servers attemps to check EXDEV$ and ACEDEV$ credentials (the NETBIOS names of the servers). They think each other is a Domain Member server and forget there is a trust established. What's worse is this begins a cyclical connect from smbd to each others winbindd that eventually (within 5 minutes for my testing) causes winbindd to use up all 200 connections on each system rendering both DC's dead.

I'm collecting the logs now and will post here within the hour.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2006-01-14 06:32:53 UTC 
Thanks Bill.  I'll fix this on Monday.  Will 
need those logs though.  Please attach them here.
Comment 4 William Jojo 2006-01-14 07:11:07 UTC 
Created attachment 1682 [details]
log files from one side of two way trust.
Comment 5 William Jojo 2006-01-14 07:11:50 UTC 
Created attachment 1683 [details]
log files from other side of two way trust.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2006-01-25 21:30:57 UTC 
Bill, any chance you could give the current SAMBA_3_0_RELEASE and 
see if this is still an issue.  I remember a related checkin.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2006-01-27 07:01:55 UTC 
Bill says it looks ok now fopr 3.0.21b
Comment 8 Sergiy Tsymbal 2006-03-12 07:18:16 UTC 
Unfortunately the bug is still in place trough out 21a, 21b, 21c versions.
Comment 9 Gerald (Jerry) Carter (dead mail address) 2007-04-14 17:45:30 UTC 
I cannot repro this anymore.  Reopen if there is a problem in 3.0.24/3.0.25