Bug 5339 - Interdomaintrust broken since 3.0.28
Interdomaintrust broken since 3.0.28
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.28a
Other Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks: 5340
  Show dependency treegraph
 
Reported: 2008-03-20 01:35 UTC by Sysadmin HTL-Leonding
Modified: 2008-04-14 00:33 UTC (History)
1 user (show)

See Also:


Attachments
Logfiles from trusting domain controller with Samba 3.0.27 (43.92 KB, application/octet-stream)
2008-04-02 00:21 UTC, Sysadmin HTL-Leonding
no flags Details
Logfiles from trusted domain controller with Samba 3.0.27 (28.38 KB, application/octet-stream)
2008-04-02 00:21 UTC, Sysadmin HTL-Leonding
no flags Details
Logfiles from trusting domain controller with Samba 3.0.28a (27.98 KB, application/octet-stream)
2008-04-02 00:21 UTC, Sysadmin HTL-Leonding
no flags Details
Logfiles from trusted domain controller with Samba 3.0.28a (19.50 KB, application/octet-stream)
2008-04-02 00:22 UTC, Sysadmin HTL-Leonding
no flags Details
Logfiles from trusting domain controller with Samba 3.0.28a when executing wbinfo -u (21.47 KB, application/octet-stream)
2008-04-02 00:23 UTC, Sysadmin HTL-Leonding
no flags Details
Logfiles from trusted domain controller with Samba 3.0.28a when executing wbinfo -u (11.75 KB, application/octet-stream)
2008-04-02 00:23 UTC, Sysadmin HTL-Leonding
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sysadmin HTL-Leonding 2008-03-20 01:35:08 UTC
Linux: Gentoo (don't know whether this problem exists with other distributions or not)

OpenLDAP 2.3.41, Samba >= 3.0.28, smbldap-tools 0.91

Situation:
You have two domains (SMBONE and SMBTWO) using separate ldap-backends, running Samba 3.0.28. You establish an interdomain trust using smbldap-useradd -i SMBONE$ on SMBTWO-SRV and using net rpc trustdom establish SMBTWO on SMBONE-SRV you create the interdomaintrust (there is a nasty error message since ever and then a success message, but it works).On SMBONE winbind is activated (and in nsswitch.conf), so you were able to log into SMBTWO if your client has joined SMBONE until (including) Samba 3.0.27.

You can log into SMBONE if your client has joined SMBONE.
You can log into SMBTWO if your client has joined SMBTWO.

But with Samba 3.0.28 (and 3.0.28a) you can not log into SMBTWO, if your client has joined SMBONE. You can choose SMBTWO from the domainlist (tried with Windows 2000 SP4, but the problem also exists with Windows XP SP2 and newest patches --> seems not to be a Windows fault).

With Samba 3.0.28a winbind (wbinfo -u) can't receive the users of the trusted domains, with Samba 3.0.28 it can, but you can't login (receiving wrong user or password OR there is a problem with an attached device).

Rolling back to Samba 3.0.27 (it is masked of security reasons ...) everything works fine with the same configuration. So it seems there is something broken since Samba 3.0.28.
Comment 1 Sysadmin HTL-Leonding 2008-04-02 00:21:06 UTC
Created attachment 3233 [details]
Logfiles from trusting domain controller with Samba 3.0.27
Comment 2 Sysadmin HTL-Leonding 2008-04-02 00:21:33 UTC
Created attachment 3234 [details]
Logfiles from trusted domain controller with Samba 3.0.27
Comment 3 Sysadmin HTL-Leonding 2008-04-02 00:21:53 UTC
Created attachment 3235 [details]
Logfiles from trusting domain controller with Samba 3.0.28a
Comment 4 Sysadmin HTL-Leonding 2008-04-02 00:22:22 UTC
Created attachment 3236 [details]
Logfiles from trusted domain controller with Samba 3.0.28a
Comment 5 Sysadmin HTL-Leonding 2008-04-02 00:23:21 UTC
Created attachment 3237 [details]
Logfiles from trusting domain controller with Samba 3.0.28a when executing wbinfo -u
Comment 6 Sysadmin HTL-Leonding 2008-04-02 00:23:48 UTC
Created attachment 3238 [details]
Logfiles from trusted domain controller with Samba 3.0.28a when executing wbinfo -u
Comment 7 Sysadmin HTL-Leonding 2008-04-03 06:31:34 UTC
Example:
Two domain controllers smbone and smbtwo, both are PDCs
W2K-Client (doesn't depend on client but for clarity) client of smbone
interdomaintrust between smbone and smbtwo established
Servers: Gentoo, USE="acl cups examples fam ipv6 ldap pam python quotas readline winbind"
not in USE: ads, async automounts caps doc selinux syslog swat

Try to log in from client on smbone and smbtwo
Samba 3.0.27 and before: winbind works
Samba 3.0.28a: winbind doesn't work (doesn't work in 3.0.28, unknown whether Samba 3.0.27a was working as it is not in portage)
can't access profiles from client on smbone because of winbind problem (with force user=%U set) (this worked in 3.0.28!!!)

attachments:
samba3027*.tar.bz2 log level 10 logs with Samba 3.0.27 --> working
samba3028a*.tar.bz2 log level 10 logs with Samba 3.0.28a --> not working

samba3028a*wbinfou.tar.bz2 log level 10 logs executing wbinfo -u on smbone result Error looking up domain users
Comment 8 Guenther Deschner 2008-04-10 06:07:54 UTC
Do you have a chance the test the v3-0-test code base in git? It should be fixed in there.
Comment 9 Sysadmin HTL-Leonding 2008-04-10 07:03:06 UTC
Please tell me, whether you can provide me with a patch-file which can be applied on the samba-3.0.28a or the samba-3.0.28 release tar-file or not.

If this should not possible easily, I will try to manage to get the sources from git.

Thanks for your help.
Comment 10 Volker Lendecke 2008-04-10 07:10:42 UTC
You can always get the latest 3.0 snapshot as a tar.gz from 

http://repo.or.cz/w/Samba.git?a=snapshot;h=refs/heads/v3-0-test;sf=tgz

Volker
Comment 11 Sysadmin HTL-Leonding 2008-04-14 00:30:33 UTC
Tested git-files (timestamp 10 Apr 17:56) in a testing environment, where the interdomaintrust seems to work properly again (winbind seems to be ok again, trusted server login also works again) . Waiting for Samba 3.0.28b to be released for production environment.
Comment 12 Volker Lendecke 2008-04-14 00:33:00 UTC
Closing as fixed

Volker