Bug 429024

Summary:

After establish trust with AD, wbinfo -u does not work

Product:

Red Hat Enterprise Linux 5

Reporter:

Lin Li <linl>

Component:

samba

Assignee:

Simo Sorce <ssorce>

Status:

CLOSED ERRATA

QA Contact:

Severity:

low

Docs Contact:

Priority:

medium

Version:

5.1

CC:

gdeschner, jplans, mniranja, orion, sputhenp

Target Milestone:

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

RHBA-2008-0372

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2008-05-21 17:26:52 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

431710

Attachments:

Description	Flags
winbind log	none
samba config file	none
winbind log on level 10	none
wb-LINR51VD1 log on level 10	none
Do not use schannel against trusted domains	none
Get the right password	none
winbindd log after patch	none
wb-LINR51VD1 log after patch	none
New patch to fix the problem	none
new log winbindd.log	none
new log wb-LINR51VD1.log	none
log after upgrade to 3.0.28	none
Patches to fix some issues still open with trusts	none
fix idmap with legacy conf, and pam_winbindd on DC vs trusted domains	none

Description Lin Li 2008-01-16 21:02:31 UTC

Description of problem:
Setup a samba pdc on rhel5.1 with samba-3.0.25b-0.el5.4, establish a two way
trust with a windows 2003 Avtive Directory domain. Run "wbinfo -u" to get trust
domain users and it failed.

Here is the output
[root@linr5164vs1 ~]# wbinfo -m
WINQANET2
[root@linr5164vs1 ~]# wbinfo -u
Error looking up domain users

Comment 1 Lin Li 2008-01-16 21:02:31 UTC

Created attachment 291892 [details]
winbind log

Comment 2 Lin Li 2008-01-16 21:05:56 UTC

Created attachment 291893 [details]
samba config file

Comment 3 Simo Sorce 2008-01-16 21:38:48 UTC

Can you raise the debug level to 10 and provide the other winbindd log files too ?
wb-<domain>.log etc..

Comment 4 Lin Li 2008-01-16 21:57:45 UTC

Created attachment 291897 [details]
winbind log on level 10

Comment 5 Lin Li 2008-01-16 21:58:58 UTC

Created attachment 291898 [details]
wb-LINR51VD1 log on level 10

Comment 6 Simo Sorce 2008-01-17 16:03:32 UTC

Created attachment 292014 [details]
Do not use schannel against trusted domains

Comment 7 Simo Sorce 2008-01-17 16:04:07 UTC

Created attachment 292015 [details]
Get the right password

Comment 8 Simo Sorce 2008-01-17 16:05:02 UTC

The 2 attached patches from post 3.0.28 upstream may solve this specific bug.

Comment 9 RHEL Program Management 2008-01-17 16:06:05 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 13 Lin Li 2008-01-18 20:34:30 UTC

Created attachment 292202 [details]
winbindd log after patch

After apply the two patches, it still does not work.

Comment 14 Lin Li 2008-01-18 20:35:12 UTC

Created attachment 292203 [details]
wb-LINR51VD1 log after patch

Comment 15 Simo Sorce 2008-01-18 21:14:22 UTC

Lin, I have reproduced it here, I have a samba version that works, trying to
find out the differences and produce a patch with the minimum changes necessary

Comment 16 Simo Sorce 2008-01-30 21:42:05 UTC

Created attachment 293489 [details]
New patch to fix the problem

This patch is working for me against v3-0-test upstream.
It should fix the problem for 3.0.25 too.

Comment 17 Simo Sorce 2008-01-30 21:43:16 UTC

Lin can you check if the patch I just attached fixes the problem for you ?

Comment 18 Lin Li 2008-01-31 16:50:41 UTC

This new patch does not work on my test system. I'm going to set up a clean
system to test the patch and generate logs.

Comment 19 Lin Li 2008-01-31 19:18:39 UTC

Created attachment 293625 [details]
new log winbindd.log

Comment 20 Lin Li 2008-01-31 19:19:18 UTC

Created attachment 293626 [details]
new log wb-LINR51VD1.log

Comment 21 Simo Sorce 2008-01-31 19:38:16 UTC

Upstream v3-0-test + the above patch works, I have backported a few patches (+
the one I attached here) that makes 3.0.28 works for me in this situation.

I am preparing packages for testing, will let you know when they are done.

Comment 22 Simo Sorce 2008-02-18 14:36:38 UTC

Lin
if you can tell me what arch you are on I can post on my people page some
packages for testing that should fix this issue.

Comment 23 Lin Li 2008-02-19 15:23:29 UTC

I'm running a vmware for amd 64bit system.

Comment 24 Lin Li 2008-02-19 18:58:12 UTC

Created attachment 295318 [details]
log after upgrade to 3.0.28

After upgrade to 3.0.28, It still failed. This time it is a different problem.
It seems trying to find the dc for domain winqanet2.com instead of winqanet2
and failed.

Comment 25 Simo Sorce 2008-02-19 19:22:59 UTC

A quick read at the logs suggest that it is your w2k3r2 server that believes the
DNS domain name is winqanet2.com
Certainly samba has no logic to alter a domain name.

I think this latter error is some DNS/Windows misconfiguration, and is not
related to the original bug which was confirmed.

In our tests so far we reproduced the original issue and successfully solved it
with the packages we are beta testing.

Comment 26 Lin Li 2008-02-19 19:34:27 UTC

It is a DNS problem. After I configured to use the correct DNS server, it works.

Comment 28 Orion Poplawski 2008-02-28 18:08:08 UTC

Would it be possible to get copies of the updated packages?  Thanks!

Comment 29 Simo Sorce 2008-02-28 20:27:37 UTC

I've put some tets packages on my people.redhat.com page, packages will be
available in the 5.2 beta channels when the beta starts.

Comment 30 Simo Sorce 2008-04-01 19:19:58 UTC

Turned out this bug was not fixed in all conditions and that dirty caches may
change the behavior when testing. We were still able to reproduce transitory
problems when restarting all services with clean caches.

Comment 31 Simo Sorce 2008-04-01 19:24:06 UTC

Created attachment 299950 [details]
Patches to fix some issues still open with trusts

These patches are necessary for trusts to properly work immediately on clean
restarts and empty caches.

Comment 34 Simo Sorce 2008-04-02 21:53:14 UTC

Created attachment 300141 [details]
fix idmap with legacy conf, and pam_winbindd on DC vs trusted domains

All the patches so far fixed winbindd auth using wbinfo -a but didn't address a
problem with pam_winbindd which used to try to fetch password policies from the
trusted domain before allowing the user to login.
Pw policies cannot be fetched from trusted domains, this patch fixes that.
Also fixed a regression in idmap code that failed to set up a default idmap
domain using the old compatibility smb.conf syntax

Comment 37 errata-xmlrpc 2008-05-21 17:26:52 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0372.html