Bug 459842

Summary: Regression bug enumerating users in Windows 2003 parent and trusted domains when in a child domain
Product: Red Hat Enterprise Linux 5 Reporter: MHouse <antithesis13>
Component: samba3xAssignee: Guenther Deschner <gdeschner>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: medium    
Version: 5.2CC: antithesis13, azelinka, dpal, gdeschner, jbastian, sputhenp, ssorce, tao
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: samba3x-3.5.4-0.56.el5 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Users of trusted child domains were not authenticated correctly. As a result, some users of such domains did not appear as members of the parent domain even if the child domain allowed full inheriting from the parent domain. With this update, all users of a trusted child domain are authenticated successfully.
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 22:44:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description MHouse 2008-08-22 20:42:42 UTC
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

3.0.28-x introduced a regression bug where users in trusted domains could not be enumerated by Samba when a client was joined to a child domain.  This included user and group enumeration from both parent and peer domains.  Authentication of users in those domains no longer works because of this and I had to downgrade to the 3.0.25-x packages.  I'm uncertain whether I could still join the child domain after the update, as the clients were already domain members.

Reproducible: Always

Steps to Reproduce:
1. Create a Server 2003 R2 domain and a child domain (subdomain)
2. Join the child domain using the 'net join' syntax
3. Attempt to enumerate users and groups in both the child and parent domain with 'wbinfo' and receive incomplete results
Actual Results:  
Results of user and groups enumeration are incomplete.  Authentication using parent domain accounts is not possible.

Expected Results:  
Complete user and group info from parent domain, child domain and peer domains should be listed.  Authentication via trusted domain credentials should succeed and does with the 3.0.25-x packages

No problems experienced when attaching clients directly to the parent domain and authenticating with those credentials.

Comment 7 Simo Sorce 2010-06-07 17:19:28 UTC
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.

New Contents:
Trusted domain interoperability has been finalized in the 3.5.x series and is not available in earlier code bases.
Between 3.3.x and 3.5.x there are no incompatible changes of note.

Comment 13 Suzanne Logcher 2010-12-09 19:10:18 UTC
*** Bug 599051 has been marked as a duplicate of this bug. ***

Comment 14 Eva Kopalova 2010-12-15 07:53:12 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,2 +1 @@
-Trusted domain interoperability has been finalized in the 3.5.x series and is not available in earlier code bases.
+Users of trusted child domains were not authenticated correctly. As a result, some users of such domains were not members of the parent domain even if the child domain allowed full inheriting from the parent domain. With this update, all users of a trusted child domain are authenticated successfully.-Between 3.3.x and 3.5.x there are no incompatible changes of note.

Comment 15 Eva Kopalova 2010-12-15 08:06:45 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-Users of trusted child domains were not authenticated correctly. As a result, some users of such domains were not members of the parent domain even if the child domain allowed full inheriting from the parent domain. With this update, all users of a trusted child domain are authenticated successfully.+Users of trusted child domains were not authenticated correctly. As a result, some users of such domains did not appear as members of the parent domain even if the child domain allowed full inheriting from the parent domain. With this update, all users of a trusted child domain are authenticated successfully.

Comment 17 errata-xmlrpc 2011-01-13 22:44:19 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0054.html

Comment 18 Jeff Layton 2011-02-10 12:37:03 UTC
*** Bug 621686 has been marked as a duplicate of this bug. ***

Comment 19 Jeff Layton 2011-02-10 18:21:14 UTC
*** Bug 621686 has been marked as a duplicate of this bug. ***