Bug 1403975
| Summary: | Trusted domains not working with Samba-Winbind 4.4 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Pirmin Janka <rh-bugzilla> | |
| Component: | samba | Assignee: | Andreas Schneider <asn> | |
| Status: | CLOSED ERRATA | QA Contact: | Robin Hack <rhack> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.3 | CC: | adzilsky, amitkuma, apeddire, arajendr, asn, gdeschner, jarrpa, login, rhack, rh-bugzilla | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | samba-4.6.0-0.1.rc3.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1481113 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 18:19:59 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1481113 | |||
I've configured my setup the same way as you described in the initial comment.
I've installed Samba 4.2.10 (as in RHEL 7.2) and
wbinfo -m --verbose
doesn't show CHILD.FOREST1. That's also what I expected.
Please paste the output of: 'testparm -s'
In my environment Samba 4.2.10 lists CHILD.FOREST1 and some more childs, only in 4.4 all the child domains are not listed. Here the output of testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
realm = FOREST2.DOMROOT
server string = Samba Server Version %v
workgroup = FOREST2
log file = /var/log/samba/log.%m
max log size = 50
kerberos method = secrets and keytab
password server = FOREST2.DOMROOT
security = ADS
template homedir = /home/%U
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
winbind expand groups = 10
winbind refresh tickets = Yes
winbind separator = +
winbind use default domain = Yes
idmap config child.forest1 : range = 500000000 - 599999999
idmap config child.forest1 : backend = rid
idmap config forest2 : range = 200000000 - 299999999
idmap config forest2 : backend = rid
idmap config * : range = 100000000 - 199999999
idmap config * : backend = rid
cups options = raw
[homes]
comment = Home Directories
browseable = No
read only = No
[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
printable = Yes
As i said in Samba 4.2.10 all works fine with this config in 4.4 all the child domains of forest1 are not accessible and visible
a) Why do you use 'password server' setting. Is your DNS setup broken? b) The 'rid' backend is not meant to be used as the default idmap backend (idmap config *). In future Samba versions winbindd will not start if 'rid' is configured as the default backend. You should fix that! c) The idmap config expects DOMAIN names (netbios names) and not a realm! It should be: idmap config CHILD : range backend = rid (I've just implemented that in 'testparm' now) The question is why do you see those and I don't. Has this something todo with 'secrets and keytab' or does your DC have two forest trust with the child directly. To fix this issue I need to be able to reproduce it. So I need more details. Do you have special tickets for CHILD.FOREST1 in the keytab? Can you provide clean logs which just include winbind startup and 'wbinfo -m'? Uploaded the requested logs privately to the bugzilla as per the customer's request. I tried to reproduce this with 4.2 but for me I do not have any domain child for (CHILD.FOREST1) I also do not see codewise how there could be one. However some patches in 4.6 have landed which improve this. I haven't had the time to test this yet. I will do that on Monday. As i said with winbind 4.2 (as in Red Hat 7.2) i see CHILD.FOREST1 and other Child Domains of trusted forest domain (forest 1) but i had to open several firewall ports (e.g. 389, 445, ...) between all forests and child domains. With winbind 4.4 (as in Red Hat 7.3) all child domains of the trusted forest 1 are not visible because the trust between joined domain (forest 2) and trustes forest domain (forest 1) does not work correctly. I think this not working trust may be the problem that i'm not able to see any child domains of forest 1 (see initial picture). So maybe it helps when we try to find out why the trust in 4.4 does not work and in 4.2 the trust works and all child domains are visible. Looking at the code, this never worked. However we fixed this and the fix will be in Samba 4.6 and this in RHEL 7.4! This is from Samba 4.6rc1: samba-cli01:~ # wbinfo --online-status BUILTIN : online SAMBA-CLI01 : online MARS : online EARTH : online samba-cli01:~ # getent passwd BERLIN+administrator BERLIN+administrator:*:500000500:500000513::/home/BERLIN/administrator:/bin/bash BERLIN is a child domain of EARTH EARTH and MARS have a two-way trust OK, but its strange why it works in my samba 4.2.10 environment as you described in comment 12 and in 4.4 not. And here is the online status of samba 4.2.10: wbinfo --online-status BUILTIN : online <CLIENT> : online <JOINED DOMAIN> : online <TRUSTED DOMAIN> : online <CHILD1 OF TRUSTED DOMAIN> : online <CHILD2 OF TRUSTED DOMAIN> : online <CHILDx OF TRUSTED DOMAIN> : online Are there any known issues regrading this scenario??
Domain structure: domain1.domain2.domain3, where WINBIND is joined to domain1. domain1 has a 1 way trust with domain2/3 so that users from domain3 can log into domain1 resources, but not the other way round. This works fine from windows machines but not from Linux as of samba-winbind version 4.4.4
Any help would be appreciated, or a link to any relevant resources??
+---------------+ +---------------+
| | | |
| Child Forest | | Child Domain |
| | | |
| | <--------------+ | |
+---+---+-------+ 1-way +-------+-------+
| ^ Trust ^
v | 2 way trust | AD-JOIN
+-------+-------+ +-----+-----+
| | | |
| FOREST1 | WINBIND |
| | | |
+---------------+ +-----------+
James, what you describe in comment #15 might be working with Samba 4.6.0 which will be shipped with RHEL 7.4. I haven't tested this scenario. From the Samba 4.6.0 release notes: winbind changes --------------- winbind contains code that tries to emulate the group membership calculation that domain controllers do when a user logs in. This group membership calculation is a very complex process, in particular for domain trust relationship situations. Also, in many scenarios it is impossible for winbind to correctly do this calculation due to access restrictions in the domains: winbind using its machine account simply does not have the rights to ask for an arbitrary user's group memberships. When a user logs in to a Samba server, the domain controller correctly calculates the user's group memberships authoritatively and makes the information available to the Samba server. This is the only reliable way Samba can get informed about the groups a user is member of. Because of its flakiness, the fallback group membership code is unwished, and our code pathes try hard to only use of the group memberships calculated by the domain controller. However, a lot of admins rely on the fallback behavior in order to support access for nfs access, ssh public key authentication and passwordless sudo. That's the reason for changing this back between 4.6.0rc4 and 4.6.0 (See BUG 12612). The winbind change to simplify the calculation of supplementary groups to make it more reliable and predictable has been deferred to 4.7 or later. This means that 'id <username>' without the user having logged in previously works similar to 4.5. Bug is covered by one of our tests. Everything mentioned here seems to be working now. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:1950 |
+---------------+ +---------------+ | | | | | Forest 1 | +--------------> | Forest 2 | | DOM ROOT | | DOM ROOT | | | <--------------+ | | +-------+-------+ 2-way +-------+-------+ ^ Trust ^ | | AD-JOIN +-------+-------+ +-----+-----+ | | | | | CHILD.FOREST1 | | WINBIND | | | | | +---------------+ +-----------+ WINBIND is a Linux machine and is joined to Forest 2 DOM ROOT. Now a user from CHILD.FOREST1 wants to login to WINBIND, this does not work with Winbind 4.4. In Samba-Winbind 4.2 this scenario works without Problems. Example Listing Winbind 4.4 with wbinfo -m Samba 4.2 (lists all Domains): BUILTIN <COMPUTER> <FOREST2> <FOREST1> <CHILD.FOREST1> <..more CHILD.FOREST1> Samba 4.4 (lists no Child-Domains): <COMPUTER> <FOREST2> <FOREST1> wbinfo -n <CHILD.FOREST1>+<User> lists the SID from the User and winbind -S works also, so the Mapping from SID to UID is ok. Winbind 4.4 does not send "create netlogon" , "netlogon binding" and DsrEnumerateDomainTrust so "CHILD.FOREST1" in "wbinfo -m" is not available and the wbinfo -t shows an unsuccessful trust secret between WINBIND and Forest1 DOM ROOT. In Winbind 4.2 all these Tests are successful.