Bug 1540457

Summary: User login issue from one-way trusted domains has not been fixed
Product: Red Hat Enterprise Linux 7 Reporter: vincent.wang
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED ERRATA QA Contact: Andrej Dzilský <adzilsky>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: adzilsky, amitkuma, arajendr, asn, gdeschner, jarrpa, rhack, vincentwang1208
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: samba-4.8.2-2.el7 Doc Type: Enhancement
Doc Text:
For a long time winbind was not able to authenticate users from trusted domain which only had a one way trust. Samba has been developed for NT4-style domain controllers first. The way it worked was fine for NT4 but AD works completely different so we needed to remove the assumptions winbind had about AD. This took a long time because a lot of code needed to be refactored. Finally authentication from users of one way trusts is working the the following ID mapping modules: idmap_rid and idmap_autorid. Trusts can be evaluated using the following command: 'wbinfo --trusted-domains --verbose' Winbind changes --------------- The dependency to global list of trusted domains within the winbindd processes has been reduced a lot. The construction of that global list is not reliable and often incomplete in complex trust setups. In most situations the list is not needed any more for winbindd to operate correctly. E.g. for plain file serving via SMB using a simple idmap setup with autorid, tdb or ad. However some more complex setups require the list, e.g. if you specify idmap backends for specific domains. Some pam_winbind setups may also require the global list. If you have a setup that doesn't require the global list, you should set "winbind scan trusted domains = no".
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 07:59:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420851    

Description vincent.wang 2018-01-31 05:51:13 UTC 
Description of problem:
Linux servers joined to a local Active Directory (AD) forest/domain using samba-winbind. But logins to the Linux servers failed for users who coming in from a trusted(transitive) AD forest. Also, the trusted domain user information cannot be queried on the Linux servers.

This had been fixed and working well in Samba 4.6.0 RC3 (see bug id=1403975), but now breaks again.

Version-Release number of selected component (if applicable):

Package: samba-winbind-4.7.1-5.el7.x86_64
(Packages are from RHEL 7.5 Beta release)

How reproducible:
Yes and reproducible

Steps to Reproduce:
1. Upgrade samba-winbind to 4.7.1-5
2. Clear cache and restart winbind: systemctl stop winbind; net cache flush; rm -f /var/lib/samba/*.tdb; systemctl start winbind
3. do a `id <username>` which returns "no such user", whilst when I used samba-4.6.0-RC3, it returned user and group info.

Actual results:
Trusted domain/forest user information cannot be retrieved on the Linux servers running samba-winbind 4.7.1-5. Trusted domain users logins failed.

Expected results:
`id` command can returns user info from trusted domain.
Users coming in from trusted forest/domain can successfully login .

Additional info:
This had been fixed in the past: https://bugzilla.redhat.com/show_bug.cgi?id=1403975
Current OS: Red Hat Enterprise Linux Server release 7.4 (Maipo)


Thanks 
Vincent W.
Comment 2 Andreas Schneider 2018-02-06 15:18:36 UTC 
Can you please draw a map of you forest and trusts? Also is that transitive trust one way or two way trust?

Can you also provide logs of the fail?

https://www.samba.org/~asn/reporting_samba_bugs.txt
Comment 3 vincentwang1208 2018-02-08 05:32:57 UTC 
Domain trust and relationships:

       /\                                                      /\
      /  \                                                    /  \
     /    \                                                  /    \
    /      \                                                /      \
   /        \     One way cross forest transitive trust    /        \
  /          \ <----------------------------------------- /          \
 /CUSTOMER.COM\                                          /MYDOMAIN.COM\
/______________\                                        /______________\
   \         \                                                  |
    \         \                                                 |
     \         \                                                |
      \         \                                   +-----------------------+
      /\        /\                                  | Linux Servers joined  |
     /  \      /  \                                 | to the above domain   |
    /SYD \    /ACT \                                +-----------------------+
   /______\  /______\


1. Users from MYDOMAIN.COM login onto the Linux server always successful
2. Users from CUSTOMER.COM and its sub-domains (SYD,ACT) cannot login onto the Linux servers which are joined to MYDOMAIN.COM

I'll extract the Winbind log and attache it.
Comment 4 Andreas Schneider 2018-02-08 10:48:21 UTC 
I'm sorry but one way trusts are not working with Samba yet.

There are some improvements in Samba 4.7 (install RHEL 7.5 Beta for testing) more in Samba 4.8, but it is still not fully fixed. I think we will get there with Samba 4.9.

The upstream bug is: https://bugzilla.samba.org/show_bug.cgi?id=8630

Work in Progress:
https://git.samba.org/?p=slow/samba.git;a=shortlog;h=refs/heads/trusts-ok
Comment 5 vincent.wang 2018-02-12 00:53:39 UTC 
Hi

Has tested this on RHEL7.5 Beta, still fails. 

But thanks for your updates, I totally understand the challenging interacting with MS' AD. I'll keep watching the progress of the improvements.
Comment 6 amitkuma 2018-03-21 05:53:39 UTC 
One of customer have this Query:
Is the patch going to be available for RHEL6 when the bug is resolved?
Customer is using 6.9
Comment 7 Andreas Schneider 2018-03-21 16:34:00 UTC 
No change, there are major changes to winbind to get this working correctly.
Comment 8 Andreas Schneider 2018-06-13 12:07:45 UTC 
*** Bug 1481113 has been marked as a duplicate of this bug. ***
Comment 17 errata-xmlrpc 2018-10-30 07:59:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3056