| Summary: | Samba doesn't work with one-way trusts and accessing root forest trusts from a child domain | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Venkata Tadimarri <ktadimar> |
| Component: | samba | Assignee: | Andreas Schneider <asn> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | qe-baseos-daemons |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | apeddire, asn, gdeschner, jrivera, ktadimar, login, rhack, rh-bugzilla, sali, swa |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-09 13:40:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Venkata Tadimarri
2016-11-17 05:53:29 UTC
> 2. wbinfo -u does not show any users from the trusted domains From the 'wbinfo' manpage: -u|--domain-users This option will list all users available in the Windows NT domain for which the winbindd(8) daemon is operating in. Users in all trusted domains can be listed with the --domain='*' option. Note that this operation does not assign user ids to any users that have not already been seen by winbindd(8). wbinfo -u --domain='TRUSTEDDOMAIN' However, you should not use that command, but instead do: wbinfo -n TRUSTEDDOMAIN\\administrator If this command fails, please provide log file. See: https://www.samba.org/~asn/reporting_samba_bugs.txt TL;DR stop winbind remove logs log level = 10 start winbind date; wbinfo -n TRUSTEDDOMAIN\\administrator; date post logs and date information ... I just want to exclude that the idmap range conflict is an issue and I want to see what is failing exactly. So as soon as we have a minimal reproducer, then we need logs. This makes it easier to understand the issue. A secret only exists between your own domain and the machine joined to that domain. There is no secret between trusted domains. Also a machine account normally has only very limited access to trusted domains. However I'm still waiting on the 'wbinfo -S' output from comment #13 ... Please do not post results from different customers here. This makes it much harder to understand what is going on here. Ok, so winbind can correctly map users from SID to a unix UID. Does
getent passwd ${domain}\\administrator
work? And is winbind configured in nsswitch.conf?
Günther and I reproduced the issue successfully today. It exists in Samba 4.2.10 and also in newer versions. The problem is that we do not have a domain child for the trusted domain of the forest. This issue probably exists since a long time and it requires some work to get this fixed. The strange thing is, that in my environment, the issue only exists in samba 4.4 and not in 4.2.10. In 4.2.10 all works fine. In 4.4 the trust is not working well and the child domains are not accessible. +------------------+ +------------------+
| | | |
| FOREST1 DOM ROOT <----------------+ FOREST2 DOM ROOT |
| | two-way | |
+------------------+ trust +--------+---------+
^
|
^ |
| +-------+-------+
| | |
| | CHILD.FOREST1 |
| | |
| +-------+-------+
| ^
| |
| |
| LOGIN +----+----+
| FOREST1\Administrator | |
+------------------------+ | WINBIND |
| |
+---------+
WINBIND is a Linux machine and is joined to CHILD.FOREST1. Now a user from FOREST1 wants to login to WINBIND. This does not work and is known to be broken since 2011.
It can be fixed if the user does not want login (ssh) to the machine but access a Samba share.
P.S: This bug will track ONLY for this scenario. If you/the cusomter have different domain setup, open a new bug!
I'm closing this bug, it has too many confusing comments. I openend a bug for the issue described in comment #33. If you have a customer and there AD setup is different from comment 33, please open a new bug. Draw a picture how their domain setup looks like and what the customer is trying to achieve. You can http://asciiflow.com/ for drawing. Please provide additional information according to: https://www.samba.org/~asn/reporting_samba_bugs.txt (In reply to Andreas Schneider from comment #34) > I'm closing this bug, it has too many confusing comments. I openend a bug > for the issue described in comment #33. > > If you have a customer and there AD setup is different from comment 33, > please open a new bug. > > Draw a picture how their domain setup looks like and what the customer is > trying to achieve. > > You can http://asciiflow.com/ for drawing. > > Please provide additional information according to: > > https://www.samba.org/~asn/reporting_samba_bugs.txt Please could you provide a link to the BUG you opened? I think the relevant bug is: https://bugzilla.samba.org/show_bug.cgi?id=8630 |