When trying to connect to the trusted domain, samba tries to fetch machine account for trusted domain, but that machine account never exists in secrets.tdb. does it mean that when we join the primary domain, we should join the trusted domain at the same time? git-blame shows: 88a04cf1 (Michael Adam 2007-12-17 23:24:36 +0100 595) { 88a04cf1 (Michael Adam 2007-12-17 23:24:36 +0100 596) const char *acco unt_name; 88a04cf1 (Michael Adam 2007-12-17 23:24:36 +0100 597) 88a04cf1 (Michael Adam 2007-12-17 23:24:36 +0100 598) if (!get_trust_p w_clear(domain->name, machine_password, 88a04cf1 (Michael Adam 2007-12-17 23:24:36 +0100 599) &account_name, NULL)) get_trust_creds() exists both in cm_prepare_connection() and cm_connect_sam()....
this refers to 3.0.28a (and probably 3.2.0pre as well - did not confirm yet)
excerpt from irclog of #samba-technical@freenode: (http://www.samba.sernet.de/irclog/2008/04/20080428-Mon.log) ------------------------------------------------------------------- 04/28/08 10:34:23 <boyang> Hi, obnox 04/28/08 10:34:43 <obnox> hi boyang 04/28/08 10:36:31 <boyang> Could you please explain nsswitch/winbindd_cm.c: line 719 and line 1775, v3-0-test? 04/28/08 10:36:55 <boyang> I have sent one mail to you too... 04/28/08 10:36:55 <boyang> trusted domain is broken... 04/28/08 10:37:46 christz (n=christz@dslb-088-070-031-099.pools.arcor-ip.net) has joined channel #samba-technical 04/28/08 10:37:59 <obnox> boyang: looking... 04/28/08 10:38:15 <boyang> Thank you! 04/28/08 11:01:14 <obnox> boyang: in your mail you cite lines 595--599, above you mention 719,1775 . 04/28/08 11:02:00 <obnox> ah alright, sorry that is the function called in 719 & 1775.. 04/28/08 11:02:51 <boyang> yeap. :-) 04/28/08 11:04:04 <obnox> boyang: so that get_trust_creds() function gets some account name & password depending on the domain name given: 04/28/08 11:04:19 <obnox> in case it is our own domain and we are member, get the machine account creds 04/28/08 11:04:28 <boyang> yeap 04/28/08 11:04:34 <obnox> in case it is another domain, and we are DC, get the trusted domain PW 04/28/08 11:04:46 <boyang> yeap 04/28/08 11:04:56 <obnox> a DC stores the trust pw for trusted domains in secrets tdb 04/28/08 11:05:21 <boyang> But if it is the trusted domain, and we are domain member? 04/28/08 11:05:37 <obnox> hm, then our cd should be asked, i guess :) 04/28/08 11:06:30 <obnox> so are you trying to tell me that for a member, trusted domains are broken? 04/28/08 11:06:39 <boyang> yeap 04/28/08 11:06:42 <obnox> golly gosh 04/28/08 11:07:14 <obnox> boyang: could you please open a bugzilla entry for that? 04/28/08 11:07:27 <boyang> yeap 04/28/08 11:07:37 <obnox> great thanks 04/28/08 11:08:29 <obnox> connection to trusted domain from member server is apparently not covered.. :-( ... 04/28/08 11:17:12 <boyang> obnox: what does "not covered" mean? I take it as "it has nothing to do with get_trust_creds()". Did I understand it correctly? 04/28/08 11:17:58 <obnox> boyang: right, not covered by the if statements in get_trust_pw_clear(( 04/28/08 11:19:43 <boyang> secrets_fetch_machine_password() tries to get machine account for trusted domain, which never exists in secrets.tdb. 04/28/08 11:19:54 <obnox> exactly 04/28/08 11:20:15 <boyang> It is right that it is not covered by if statements, it is for DC situation. 04/28/08 11:20:56 <obnox> well yes, either dc connecting to trusted domain, or member connecting to its own dc 04/28/08 11:21:03 <obnox> other cases not covered 04/28/08 11:21:45 <boyang> Then, connection to Trusted doamin's DC fails. Because NO MACHINE ACCOUNT is fetched from secrets.tdb 04/28/08 11:22:05 <boyang> Just DC. 04/28/08 11:22:41 <boyang> take a look at fork_domain_child, winbind for trusted domain tries to connect to DC of the trusted domain. 04/28/08 11:22:58 <boyang> It tries to fetch machine account. 04/28/08 11:23:20 <boyang> no machine account for trusted domain exists. -------> fail 04/28/08 11:28:22 <obnox> boyang: what request is it you are doing? 04/28/08 11:29:01 <boyang> you mean winbind request? 04/28/08 11:29:14 <obnox> yep what triggers this behaviour 04/28/08 11:30:24 <boyang> PAM_AUTH 04/28/08 11:30:28 <obnox> oops 04/28/08 11:31:14 <boyang> in fact, requests that will cause winbind to contatc trusted domain through netlogon ----------------------------------------------------------------- discussion ends here
In bug #5451, which is the same as this except for an extra kerberos issue, a patch has been submitted which has meanwhile been applied to 3.0, 3.2. and 3.3 branches. Could you check current v3-0-test branch for an improvement? I think this has just not made it into 3.0.29. Michael
test
we still have that issue with trusted domains and ourself not having a machine account password in secrets.tdb when we're a NT4 DC.