Hide Forgot
Description of problem: Unable to query/login users from the trusted domains after updating to Samba-Winbind 4.4 Version-Release number of selected component (if applicable): samba-winbind-4.4.4-9.el7.x86_64 samba-4.4.4-9.el7.x86_64 How reproducible: Steps to Reproduce: 1. Set up a machine with Samba-Winbind 4.4.9 joined to AD which has trusted domains. 2. wbinfo -u does not show any users from the trusted domains 3. wbinfo -t --domain=<Trusted domain> returns the error checking the trust secret for domain Trusted via RPC calls failed wbcCheckTrustCredentials(MICROSOFT): error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b) failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR Could not check secret Actual results: 1. ID output for the trusted user errors out. #id username id: username: no such user Expected results: ID should result in output. Additional info: Rolling back to Samba 4.2 resolves the issue.
> 2. wbinfo -u does not show any users from the trusted domains From the 'wbinfo' manpage: -u|--domain-users This option will list all users available in the Windows NT domain for which the winbindd(8) daemon is operating in. Users in all trusted domains can be listed with the --domain='*' option. Note that this operation does not assign user ids to any users that have not already been seen by winbindd(8). wbinfo -u --domain='TRUSTEDDOMAIN' However, you should not use that command, but instead do: wbinfo -n TRUSTEDDOMAIN\\administrator If this command fails, please provide log file. See: https://www.samba.org/~asn/reporting_samba_bugs.txt TL;DR stop winbind remove logs log level = 10 start winbind date; wbinfo -n TRUSTEDDOMAIN\\administrator; date post logs and date information ...
I just want to exclude that the idmap range conflict is an issue and I want to see what is failing exactly. So as soon as we have a minimal reproducer, then we need logs. This makes it easier to understand the issue.
A secret only exists between your own domain and the machine joined to that domain. There is no secret between trusted domains. Also a machine account normally has only very limited access to trusted domains. However I'm still waiting on the 'wbinfo -S' output from comment #13 ... Please do not post results from different customers here. This makes it much harder to understand what is going on here.
Ok, so winbind can correctly map users from SID to a unix UID. Does getent passwd ${domain}\\administrator work? And is winbind configured in nsswitch.conf?
Günther and I reproduced the issue successfully today. It exists in Samba 4.2.10 and also in newer versions. The problem is that we do not have a domain child for the trusted domain of the forest. This issue probably exists since a long time and it requires some work to get this fixed.
The strange thing is, that in my environment, the issue only exists in samba 4.4 and not in 4.2.10. In 4.2.10 all works fine. In 4.4 the trust is not working well and the child domains are not accessible.
+------------------+ +------------------+ | | | | | FOREST1 DOM ROOT <----------------+ FOREST2 DOM ROOT | | | two-way | | +------------------+ trust +--------+---------+ ^ | ^ | | +-------+-------+ | | | | | CHILD.FOREST1 | | | | | +-------+-------+ | ^ | | | | | LOGIN +----+----+ | FOREST1\Administrator | | +------------------------+ | WINBIND | | | +---------+ WINBIND is a Linux machine and is joined to CHILD.FOREST1. Now a user from FOREST1 wants to login to WINBIND. This does not work and is known to be broken since 2011. It can be fixed if the user does not want login (ssh) to the machine but access a Samba share. P.S: This bug will track ONLY for this scenario. If you/the cusomter have different domain setup, open a new bug!
I'm closing this bug, it has too many confusing comments. I openend a bug for the issue described in comment #33. If you have a customer and there AD setup is different from comment 33, please open a new bug. Draw a picture how their domain setup looks like and what the customer is trying to achieve. You can http://asciiflow.com/ for drawing. Please provide additional information according to: https://www.samba.org/~asn/reporting_samba_bugs.txt
(In reply to Andreas Schneider from comment #34) > I'm closing this bug, it has too many confusing comments. I openend a bug > for the issue described in comment #33. > > If you have a customer and there AD setup is different from comment 33, > please open a new bug. > > Draw a picture how their domain setup looks like and what the customer is > trying to achieve. > > You can http://asciiflow.com/ for drawing. > > Please provide additional information according to: > > https://www.samba.org/~asn/reporting_samba_bugs.txt Please could you provide a link to the BUG you opened?
I think the relevant bug is: https://bugzilla.samba.org/show_bug.cgi?id=8630