Bug 5699 - winbindd can't resolve user names from trusted Novell XAD domains
Summary: winbindd can't resolve user names from trusted Novell XAD domains
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.28a
Hardware: Other Linux
: P3 normal
Target Milestone: none
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-18 09:20 UTC by Tukaram
Modified: 2018-12-09 17:18 UTC (History)
1 user (show)

See Also:


Attachments
The patch is for resolving the user names across domains. (5.38 KB, patch)
2008-08-18 09:27 UTC, Tukaram
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tukaram 2008-08-18 09:20:20 UTC
I have a setup with two domains - parent.com and child.parent.com. I
expect the following two commands to succeed on both servers.
1. wbinfo -n 'CHILD\administrator'
2. wbinfo -n 'PARENT\administrator'
But, on each DC, only the local administrator identity is being resolved
and the error "Could not lookup name <user name>" is thrown for identity in the
trusted domain.
 We have fixed the issue in a patch winbind_resolve_trustdom.diff.
The Samba server is trying to resolve the user names in local file.
We will attach the diff file shortly.
Comment 1 Tukaram 2008-08-18 09:27:07 UTC
Created attachment 3488 [details]
The patch is for resolving the user names across domains.

The changes are done on 3.0.28 code base. Samba server was contacting the local passdb file for resolving the remote users. The issue is fixed in the attached patch. Please let us know if the patch fixes the issue.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2008-08-18 09:56:28 UTC
This should have been fixed in 3.0.31:

o   Steven Danneman <steven.danneman@isilon.com>
    * Use machine account and machine password from our domain when
      contacting trusted domains.
    * SPNEGO SPN fix when contacting trusted domains.
Comment 3 Tukaram 2008-08-19 01:36:46 UTC
can I get the bug number or feature number where this issue was discussed.
Also patch number would help me in resolving this issue.
Comment 4 Tukaram 2008-08-19 03:38:19 UTC
can I get revision number to get this patch.
Comment 5 Karolin Seeger 2008-08-19 04:20:38 UTC
Should be 8dc4e979 and fd0ae470.
Comment 6 Tukaram 2008-08-19 04:47:12 UTC
I am not able to to find these revision numbers. How do I find this in svn.
Or can you please provide me the decimal revision number?
Is this a revision number? Because I can see only decimal numbers in the svn revisions.
Comment 7 Gerald (Jerry) Carter (dead mail address) 2008-08-19 07:19:10 UTC
We no longer use SVN.  See http://gitweb.samba.org/?p=samba.git;a=summary
Comment 8 Tukaram 2008-08-19 09:21:33 UTC
I got the patches from git. Will back port to my code base (3.0.28) and test the fix and update the bug accordingly.
Comment 9 hargagan 2008-08-25 05:00:48 UTC
(In reply to comment #2)
> This should have been fixed in 3.0.31:
> 
> o   Steven Danneman <steven.danneman@isilon.com>
>     * Use machine account and machine password from our domain when
>       contacting trusted domains.
>     * SPNEGO SPN fix when contacting trusted domains.
> 
Hi Jerald,
The fix given in the git revisions given by Karolin (comment #5) is not part of 3.0.31. I took the latest 3.0.31 from samba.org to verify this. Infact this is present in 3.2.2 and the latest code base. 
Can you please tell me in which revision steven Danneman had fixed this issue ?
Comment 10 Karolin Seeger 2008-08-25 06:09:07 UTC
Just verified:

Both patches were included in 3.0.30.

Did you look at the code or searched git log for the commit hashes?
Comment 11 hargagan 2008-08-25 06:35:49 UTC
(In reply to comment #10)
> 
> Did you look at the code or searched git log for the commit hashes?
> 
I saw the diff on git logs which seems to have some other function "winbindd_set_locator_kdc_envs()" getting called in the cn_prepare_connection() [winbindd_cm.c]. This function is not present of 3.0.31 that I downloaded from the link "http://us3.samba.org/samba/ftp/", but present in 3.2.2.

I was wondering if this function will cause some problem ? I tried the patch without this function and winbindd is not able to resolve local users itself.
Comment 12 Tukaram 2008-09-02 04:47:58 UTC
I took the patches on git hash suggested by Karolin Seager, but unfortunately it is not fixing the problem reported by me. I tried the latest 3.2 but that is also not solving the problem.

I took the patch given for bug 5454/5451 and the one suggested in bug 5425. But unfortunately, these patches didn't help me on the issue reported. After using these patches, I was not able to list the trusted domain. Apart from that I was not able to list local users itself.

The patch suggested by me is solving the problem. The command "wbinfo -n 'CHILD/Administrator' on parent domain is resolving the user on child domain and vice versa. Also the command "wbinfo -u" is showing the users of child domain on parent domain and vice versa.

So my request to all, is to guide me to some other patch, if this exact issue had been fixed in some other bug. Otherwise, please comment on my patch as this is solving the problem.

I am reopening the bug as the problem is not resolved yet.
Comment 13 Volker Lendecke 2008-09-04 04:37:32 UTC
From irc: It seems that AD does have the plaintext passwords for trust accounts, so you might not need this patch in the end.

11:31     abartlet@> vl, it sounds like we need some XAD detection code...
11:31     abartlet@> the funny thing is, in Samba4, we very much do have the
                     plaintext password (been working on that area today)
11:33           vl > abartlet: Wait a second -- AD has plaintext for trusts?
11:34     abartlet@> vl, even the NT4 set-secret stuff was plaintext, as far as 
                     I know
11:34     abartlet@> I'm talking about the client side in particular (which is 
                     what you are discussing)
11:35           vl > abartlet: So if XAD implements the AD data model fully, 
                     they don't need that patch in this style?
11:35     abartlet@> I don't see why we would need it
11:35           vl > abartlet: I'll paste your comment into the bug report, ok?
11:35     abartlet@> sure

Volker
Comment 14 Björn Jacke 2014-10-22 09:48:52 UTC
it was only visible from the chat in comment 13 that this is a Novell/XAD related issue with winbind. Don't miss such important details in the bug reports, please. Are there any news about this? Is this still an unsolved issue with current Samba and XAD?
Comment 15 Björn Jacke 2018-12-09 17:18:03 UTC
closing this as wontfix because the discussion died. i guess xad also.