Bug 4895 - wbinfo -m lists invalid domain names with more than one DC
Summary: wbinfo -m lists invalid domain names with more than one DC
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.25b
Hardware: Other Windows XP
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
Depends on:
Reported: 2007-08-17 21:03 UTC by Serge Pashenkov (mail address dead)
Modified: 2007-08-20 11:33 UTC (History)
2 users (show)

See Also:

log level = 10 for wbinfo -m (22.62 KB, application/octet-stream)
2007-08-18 13:33 UTC, Serge Pashenkov (mail address dead)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Serge Pashenkov (mail address dead) 2007-08-17 21:03:21 UTC
I have parent domain NETLANTEK.NET and child NETCHILD.NETLANTEK.NET. The parent has two domain controllers, one is called win3k-pdc.netlantek.net. and the other one is called ccpqdl320-srv1.netlantek.net. I am joined to the parent domain, NETLANTEK.NET.

Here is what I see:

x228:203> wbinfo -m

The first name is not real, it's probably derived from DNS name of the second domain controller.

x228:195> wbinfo -D ccpqdl320-srv1
Name              : ccpqdl320-srv1
Alt_Name          : ccpqdl320-srv1
SID               : S-1-0-0
Active Directory  : No
Native            : No
Primary           : No
Sequence          : -1
x228:196> wbinfo -D NETCHILD
Name              : NETCHILD
Alt_Name          : netchild.netlantek.net
SID               : S-1-5-21-3757639274-339704108-2390042785
Active Directory  : Yes
Native            : Yes
Primary           : No
Sequence          : 156568
x228:197> wbinfo -D NETLANTEK
Name              : NETLANTEK
Alt_Name          : netlantek.net
SID               : S-1-5-21-1305906595-1791979575-428400569
Active Directory  : Yes
Native            : Yes
Primary           : Yes
Sequence          : 441170
x228:198> dig _ldap._tcp.netlantek.net srv                                                                                      
; <<>> DiG 9.3.2 <<>> _ldap._tcp.netlantek.net srv ;; global options:  printcmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64662 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;_ldap._tcp.netlantek.net.      IN      SRV

_ldap._tcp.netlantek.net. 600   IN      SRV     0 100 389 win3k-pdc.netlantek.net.
_ldap._tcp.netlantek.net. 600   IN      SRV     0 100 389 ccpqdl320-srv1.netlantek.net.

win3k-pdc.netlantek.net. 3600   IN      A
ccpqdl320-srv1.netlantek.net. 3600 IN   A

;; Query time: 1 msec
;; SERVER: ;; WHEN: Fri Aug 17 18:36:21 2007 ;; MSG SIZE  rcvd: 165
Comment 1 Serge Pashenkov (mail address dead) 2007-08-18 13:29:45 UTC
This is stock samba 3.0.25b from ftp.samba.org for SuSE 10.1 x64 running on SuSE10.1, no modifications.

Cleaned log files and winbindd_cache.tdb, joined domain, debug level = 1, did:
Logs attached.

x228:141> sudo sh /etc/init.d/winbind start
Starting Samba WINBIND daemon
x228:142> sudo net ads testjoin
Join is OK
x228:143> sudo net ads info
LDAP server:
LDAP server name: ccpqdl320-srv1.netlantek.net
Bind Path: dc=NETLANTEK,dc=NET
LDAP port: 389
Server time: Sat, 18 Aug 2007 11:19:22 PDT
KDC server:
Server time offset: -12
x228:144> wbinfo -m
x228:145> sudo sh /etc/init.d/winbindd
Shutting down Samba  WINBIND daemon                                   done
Comment 2 Serge Pashenkov (mail address dead) 2007-08-18 13:33:22 UTC
Created attachment 2870 [details]
log level = 10 for wbinfo -m
Comment 3 Gerald (Jerry) Carter (dead mail address) 2007-08-18 13:55:25 UTC
There's something really strange about your domain setup:

          00000c ds_io_dom_trusts_ctr domain_trusts
              000c netbios_ptr: 00020004
              0010 dns_ptr: 00000000
              0014 flags: 00000002
              0018 parent_index: 00000000
              001c trust_type: 00000003
              0020 trust_attributes: 00000001
              0024 sid_ptr: 00000000
          000090 smb_io_unistr2 netbios_domain
              009c buffer     : c.c.p.q.d.l.3.2.0.-.s.r.v.1...
          0000bc smb_io_unistr2 - NULL dns_domain

The trust type and attributes say this is a outgoing, non-transitive
trust.  So I would say that you have incorrectly something about
your DCs.  We get back ccpqdl320-srv1 as a valid trusted domain so
what can we do?  Are you operating in mixed mode or something?

Comment 4 Serge Pashenkov (mail address dead) 2007-08-18 14:04:59 UTC
The way I'm reading thr -D output -- above in this bug -- the two "normal" domains are in native mode. The invalid one says No to everything so I assume this is just zeroed field and it does not really mean anything.

The way I understand it there is nothing special about the domain, just two controllers on the parent.

Comment 5 Gerald (Jerry) Carter (dead mail address) 2007-08-18 15:37:16 UTC
Please verify your domain controllers.  I've never seen a DC listed 
like this in the EnumDomainTrusts() reply.  And I've looked at it a lot
in the past few months.  I believe the output you posted but as of yet,
I do not trust that the DCs are properly configured.
Comment 6 Duncan Fiander (mail address dead) 2007-08-20 11:20:19 UTC
Netlantek server ccpqdl320-srv1 was configured as a trusted realm so the behavior was correct. 

This was probably setup for something we did in the past. I've demoted this server so it no longer shows up in the list.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2007-08-20 11:33:34 UTC
Thanks Duncan. That would match the log files.  Closing this bug as INVALID.