I've configured my setup the same way as you described in the initial comment. 

I've installed Samba 4.2.10 (as in RHEL 7.2) and

    wbinfo -m --verbose

doesn't show CHILD.FOREST1. That's also what I expected.

Please paste the output of: 'testparm -s'

In my environment Samba 4.2.10 lists CHILD.FOREST1 and some more childs, only in 4.4 all the child domains are not listed. Here the output of testparm -s

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).

'winbind separator = +' might cause problems with group membership.

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
        realm = FOREST2.DOMROOT
        server string = Samba Server Version %v
        workgroup = FOREST2
        log file = /var/log/samba/log.%m
        max log size = 50
        kerberos method = secrets and keytab
        password server = FOREST2.DOMROOT
        security = ADS
        template homedir = /home/%U
        template shell = /bin/bash
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind expand groups = 10
        winbind refresh tickets = Yes
        winbind separator = +
        winbind use default domain = Yes
        idmap config child.forest1 : range = 500000000 - 599999999
        idmap config child.forest1 : backend = rid
        idmap config forest2 : range = 200000000 - 299999999
        idmap config forest2 : backend = rid
        idmap config * : range = 100000000 - 199999999
        idmap config * : backend = rid
        cups options = raw


[homes]
        comment = Home Directories
        browseable = No
        read only = No


[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = No
        printable = Yes


As i said in Samba 4.2.10 all works fine with this config in 4.4 all the child domains of forest1 are not accessible and visible

a) Why do you use 'password server' setting. Is your DNS setup broken?
b) The 'rid' backend is not meant to be used as the default idmap backend (idmap config *). In future Samba versions winbindd will not start if 'rid' is configured as the default backend. You should fix that!
c) The idmap config expects DOMAIN names (netbios names) and not a realm!
   It should be: idmap config CHILD : range backend = rid
   (I've just implemented that in 'testparm' now)

The question is why do you see those and I don't. Has this something todo with 'secrets and keytab' or does your DC have two forest trust with the child directly. To fix this issue I need to be able to reproduce it. So I need more details.

Do you have special tickets for CHILD.FOREST1 in the keytab?
Can you provide clean logs which just include winbind startup and 'wbinfo -m'?

Uploaded the requested logs privately to the bugzilla as per the customer's request.

I tried to reproduce this with 4.2 but for me I do not have any domain child for (CHILD.FOREST1) I also do not see codewise how there could be one.

However some patches in 4.6 have landed which improve this. I haven't had the time to test this yet. I will do that on Monday.

As i said with winbind 4.2 (as in Red Hat 7.2) i see CHILD.FOREST1 and other Child Domains of trusted forest domain (forest 1) but i had to open several firewall ports (e.g. 389, 445, ...) between all forests and child domains.

With winbind 4.4 (as in Red Hat 7.3) all child domains of the trusted forest 1 are not visible because the trust between joined domain (forest 2) and trustes forest domain (forest 1) does not work correctly. I think this not working trust may be the problem that i'm not able to see any child domains of forest 1 (see initial picture). So maybe it helps when we try to find out why the trust in 4.4 does not work and in 4.2 the trust works and all child domains are visible.

Looking at the code, this never worked. However we fixed this and the fix will be in Samba 4.6 and this in RHEL 7.4!


This is from Samba 4.6rc1:


samba-cli01:~ # wbinfo --online-status
BUILTIN : online
SAMBA-CLI01 : online
MARS : online
EARTH : online
samba-cli01:~ # getent passwd BERLIN+administrator
BERLIN+administrator:*:500000500:500000513::/home/BERLIN/administrator:/bin/bash

BERLIN is a child domain of EARTH
EARTH and MARS have a two-way trust

OK, but its strange why it works in my samba 4.2.10 environment as you described in comment 12 and in 4.4 not.

And here is the online status of samba 4.2.10:

wbinfo --online-status
BUILTIN : online
<CLIENT> : online
<JOINED DOMAIN> : online
<TRUSTED DOMAIN> : online
<CHILD1 OF TRUSTED DOMAIN> : online
<CHILD2 OF TRUSTED DOMAIN> : online
<CHILDx OF TRUSTED DOMAIN> : online

Are there any known issues regrading this scenario??

Domain structure: domain1.domain2.domain3, where WINBIND is joined to domain1. domain1 has a 1 way trust with domain2/3 so that users from domain3 can log into domain1 resources, but not the other way round. This works fine from windows machines but not from Linux as of samba-winbind version 4.4.4

Any help would be appreciated, or a link to any relevant resources??


+---------------+                   +---------------+
|               |                   |               |
| Child Forest  |                   | Child Domain  |
|               |                   |               |
|               | <--------------+  |               |
+---+---+-------+       1-way       +-------+-------+
    |   ^               Trust               ^
    v   |   2 way trust                     | AD-JOIN
+-------+-------+                     +-----+-----+
|               |                     |           |
|  FOREST1                            | WINBIND   |
|               |                     |           |
+---------------+                     +-----------+

James, what you describe in comment #15 might be working with Samba 4.6.0 which will be shipped with RHEL 7.4. I haven't tested this scenario.

From the Samba 4.6.0 release notes:

winbind changes
---------------

winbind contains code that tries to emulate the group membership calculation
that domain controllers do when a user logs in. This group membership calculation
is a very complex process, in particular for domain trust relationship
situations. Also, in many scenarios it is impossible for winbind to
correctly do this calculation due to access restrictions in the
domains: winbind using its machine account simply does not have the
rights to ask for an arbitrary user's group memberships.

When a user logs in to a Samba server, the domain controller correctly
calculates the user's group memberships authoritatively and makes the
information available to the Samba server. This is the only reliable
way Samba can get informed about the groups a user is member of.

Because of its flakiness, the fallback group membership code is unwished,
and our code pathes try hard to only use of the group memberships
calculated by the domain controller.

However, a lot of admins rely on the fallback behavior in order to support
access for nfs access, ssh public key authentication and passwordless sudo.

That's the reason for changing this back between 4.6.0rc4 and 4.6.0
(See BUG 12612).

The winbind change to simplify the calculation of supplementary groups to make
it more reliable and predictable has been deferred to 4.7 or later.

This means that 'id <username>' without the user having logged in
previously works similar to 4.5.

Bug is covered by one of our tests. 
Everything mentioned here seems to be working now.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1950