Bug 5425 - broken trusted domain in winbind as domain member..
Summary: broken trusted domain in winbind as domain member..
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.9.3
Hardware: All Linux
: P3 critical (vote)
Target Milestone: 4.9
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
Depends on:
Reported: 2008-04-28 04:14 UTC by boyang
Modified: 2018-12-09 15:28 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description boyang 2008-04-28 04:14:07 UTC
When trying to connect to the trusted domain, samba tries to fetch machine account for trusted domain, but that machine account never exists in secrets.tdb.

   does it mean that when we join the primary domain, we should join the trusted domain at the same time?

   git-blame shows:

   88a04cf1 (Michael Adam                         2007-12-17 23:24:36 +0100  595) {
88a04cf1 (Michael Adam                         2007-12-17 23:24:36 +0100  596)  const char *acco
88a04cf1 (Michael Adam                         2007-12-17 23:24:36 +0100  597)
88a04cf1 (Michael Adam                         2007-12-17 23:24:36 +0100  598)  if (!get_trust_p
w_clear(domain->name, machine_password,
88a04cf1 (Michael Adam                         2007-12-17 23:24:36 +0100  599)
       &account_name, NULL))

get_trust_creds() exists both in cm_prepare_connection() and cm_connect_sam()....
Comment 1 Michael Adam 2008-05-01 05:59:38 UTC
this refers to 3.0.28a
(and probably 3.2.0pre as well - did not confirm yet)
Comment 2 Michael Adam 2008-05-01 06:05:15 UTC
excerpt from irclog of #samba-technical@freenode:

04/28/08 10:34:23 <boyang> Hi, obnox
04/28/08 10:34:43 <obnox> hi boyang 
04/28/08 10:36:31 <boyang> Could you please explain  nsswitch/winbindd_cm.c: line 719 and line 1775, v3-0-test?
04/28/08 10:36:55 <boyang> I have sent one mail to you too...
04/28/08 10:36:55 <boyang> trusted domain is broken...
04/28/08 10:37:46 christz (n=christz@dslb-088-070-031-099.pools.arcor-ip.net) has joined channel #samba-technical
04/28/08 10:37:59 <obnox> boyang: looking...
04/28/08 10:38:15 <boyang> Thank you!
04/28/08 11:01:14 <obnox> boyang: in your mail you cite lines 595--599, above you mention 719,1775 .
04/28/08 11:02:00 <obnox> ah alright, sorry that is the function called in 719 & 1775..
04/28/08 11:02:51 <boyang> yeap. :-)
04/28/08 11:04:04 <obnox> boyang: so that get_trust_creds() function gets some account name & password depending on the domain name given:
04/28/08 11:04:19 <obnox> in case it is our own domain and we are member, get the machine account creds
04/28/08 11:04:28 <boyang> yeap
04/28/08 11:04:34 <obnox> in case it is another domain, and we are DC, get the trusted domain PW
04/28/08 11:04:46 <boyang> yeap
04/28/08 11:04:56 <obnox> a DC stores the trust pw for trusted domains in secrets tdb
04/28/08 11:05:21 <boyang> But if it is the trusted domain, and we are domain member?
04/28/08 11:05:37 <obnox> hm, then our cd should be asked, i guess :)
04/28/08 11:06:30 <obnox> so are you trying to tell me that for a member, trusted domains are broken?
04/28/08 11:06:39 <boyang> yeap
04/28/08 11:06:42 <obnox> golly gosh
04/28/08 11:07:14 <obnox> boyang: could you please open a bugzilla entry for that?
04/28/08 11:07:27 <boyang> yeap
04/28/08 11:07:37 <obnox> great thanks
04/28/08 11:08:29 <obnox> connection to trusted domain from member server is apparently not covered.. :-(
04/28/08 11:17:12 <boyang> obnox: what does "not covered" mean? I take it as "it has nothing to do with get_trust_creds()". Did I understand it correctly?
04/28/08 11:17:58 <obnox> boyang: right, not covered by the if statements in get_trust_pw_clear((
04/28/08 11:19:43 <boyang> secrets_fetch_machine_password() tries to get machine account for trusted domain, which never exists in secrets.tdb.
04/28/08 11:19:54 <obnox> exactly
04/28/08 11:20:15 <boyang> It is right that it is not covered by if statements, it is for DC situation.
04/28/08 11:20:56 <obnox> well yes, either dc connecting to trusted domain, or member connecting to its own dc
04/28/08 11:21:03 <obnox> other cases not covered
04/28/08 11:21:45 <boyang> Then, connection to Trusted doamin's DC fails. Because NO MACHINE ACCOUNT is fetched from secrets.tdb
04/28/08 11:22:05 <boyang> Just DC.
04/28/08 11:22:41 <boyang> take a look at fork_domain_child, winbind for trusted domain tries to connect to DC of the trusted domain.
04/28/08 11:22:58 <boyang> It tries to fetch machine account.
04/28/08 11:23:20 <boyang> no machine account for trusted domain exists. -------> fail
04/28/08 11:28:22 <obnox> boyang: what request is it you are doing?
04/28/08 11:29:01 <boyang> you mean winbind request?
04/28/08 11:29:14 <obnox> yep what triggers this behaviour
04/28/08 11:30:24 <boyang> PAM_AUTH
04/28/08 11:30:28 <obnox> oops
04/28/08 11:31:14 <boyang> in fact, requests that will cause winbind to contatc trusted domain through netlogon

discussion ends here
Comment 3 Michael Adam 2008-05-24 18:30:47 UTC
In bug #5451, which is the same as this except for
an extra kerberos issue, a patch has been submitted
which has meanwhile been applied to 3.0, 3.2. and 3.3 branches.

Could you check current v3-0-test branch for an improvement?
I think this has just not made it into 3.0.29.

Comment 4 Michael Adam 2008-07-07 13:16:47 UTC
Comment 5 Björn Jacke 2018-12-09 15:28:40 UTC
we still have that issue with trusted domains and ourself not having a machine account password in secrets.tdb when we're a NT4 DC.