The Samba-Bugzilla – Bug 5699
winbindd can't resolve user names from trusted Novell XAD domains
Last modified: 2014-10-22 09:51:48 UTC
I have a setup with two domains - parent.com and child.parent.com. I
expect the following two commands to succeed on both servers.
1. wbinfo -n 'CHILD\administrator'
2. wbinfo -n 'PARENT\administrator'
But, on each DC, only the local administrator identity is being resolved
and the error "Could not lookup name <user name>" is thrown for identity in the
We have fixed the issue in a patch winbind_resolve_trustdom.diff.
The Samba server is trying to resolve the user names in local file.
We will attach the diff file shortly.
Created attachment 3488 [details]
The patch is for resolving the user names across domains.
The changes are done on 3.0.28 code base. Samba server was contacting the local passdb file for resolving the remote users. The issue is fixed in the attached patch. Please let us know if the patch fixes the issue.
This should have been fixed in 3.0.31:
o Steven Danneman <firstname.lastname@example.org>
* Use machine account and machine password from our domain when
contacting trusted domains.
* SPNEGO SPN fix when contacting trusted domains.
can I get the bug number or feature number where this issue was discussed.
Also patch number would help me in resolving this issue.
can I get revision number to get this patch.
Should be 8dc4e979 and fd0ae470.
I am not able to to find these revision numbers. How do I find this in svn.
Or can you please provide me the decimal revision number?
Is this a revision number? Because I can see only decimal numbers in the svn revisions.
We no longer use SVN. See http://gitweb.samba.org/?p=samba.git;a=summary
I got the patches from git. Will back port to my code base (3.0.28) and test the fix and update the bug accordingly.
(In reply to comment #2)
> This should have been fixed in 3.0.31:
> o Steven Danneman <email@example.com>
> * Use machine account and machine password from our domain when
> contacting trusted domains.
> * SPNEGO SPN fix when contacting trusted domains.
The fix given in the git revisions given by Karolin (comment #5) is not part of 3.0.31. I took the latest 3.0.31 from samba.org to verify this. Infact this is present in 3.2.2 and the latest code base.
Can you please tell me in which revision steven Danneman had fixed this issue ?
Both patches were included in 3.0.30.
Did you look at the code or searched git log for the commit hashes?
(In reply to comment #10)
> Did you look at the code or searched git log for the commit hashes?
I saw the diff on git logs which seems to have some other function "winbindd_set_locator_kdc_envs()" getting called in the cn_prepare_connection() [winbindd_cm.c]. This function is not present of 3.0.31 that I downloaded from the link "http://us3.samba.org/samba/ftp/", but present in 3.2.2.
I was wondering if this function will cause some problem ? I tried the patch without this function and winbindd is not able to resolve local users itself.
I took the patches on git hash suggested by Karolin Seager, but unfortunately it is not fixing the problem reported by me. I tried the latest 3.2 but that is also not solving the problem.
I took the patch given for bug 5454/5451 and the one suggested in bug 5425. But unfortunately, these patches didn't help me on the issue reported. After using these patches, I was not able to list the trusted domain. Apart from that I was not able to list local users itself.
The patch suggested by me is solving the problem. The command "wbinfo -n 'CHILD/Administrator' on parent domain is resolving the user on child domain and vice versa. Also the command "wbinfo -u" is showing the users of child domain on parent domain and vice versa.
So my request to all, is to guide me to some other patch, if this exact issue had been fixed in some other bug. Otherwise, please comment on my patch as this is solving the problem.
I am reopening the bug as the problem is not resolved yet.
From irc: It seems that AD does have the plaintext passwords for trust accounts, so you might not need this patch in the end.
11:31 abartlet@> vl, it sounds like we need some XAD detection code...
11:31 abartlet@> the funny thing is, in Samba4, we very much do have the
plaintext password (been working on that area today)
11:33 vl > abartlet: Wait a second -- AD has plaintext for trusts?
11:34 abartlet@> vl, even the NT4 set-secret stuff was plaintext, as far as
11:34 abartlet@> I'm talking about the client side in particular (which is
what you are discussing)
11:35 vl > abartlet: So if XAD implements the AD data model fully,
they don't need that patch in this style?
11:35 abartlet@> I don't see why we would need it
11:35 vl > abartlet: I'll paste your comment into the bug report, ok?
11:35 abartlet@> sure
it was only visible from the chat in comment 13 that this is a Novell/XAD related issue with winbind. Don't miss such important details in the bug reports, please. Are there any news about this? Is this still an unsolved issue with current Samba and XAD?