RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1540457 - User login issue from one-way trusted domains has not been fixed
Summary: User login issue from one-way trusted domains has not been fixed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba
Version: 7.5
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: Andrej Dzilský
URL:
Whiteboard:
: 1481113 (view as bug list)
Depends On:
Blocks: 1420851
TreeView+ depends on / blocked
 
Reported: 2018-01-31 05:51 UTC by vincent.wang
Modified: 2022-03-13 14:40 UTC (History)
8 users (show)

Fixed In Version: samba-4.8.2-2.el7
Doc Type: Enhancement
Doc Text:
For a long time winbind was not able to authenticate users from trusted domain which only had a one way trust. Samba has been developed for NT4-style domain controllers first. The way it worked was fine for NT4 but AD works completely different so we needed to remove the assumptions winbind had about AD. This took a long time because a lot of code needed to be refactored. Finally authentication from users of one way trusts is working the the following ID mapping modules: idmap_rid and idmap_autorid. Trusts can be evaluated using the following command: 'wbinfo --trusted-domains --verbose' Winbind changes --------------- The dependency to global list of trusted domains within the winbindd processes has been reduced a lot. The construction of that global list is not reliable and often incomplete in complex trust setups. In most situations the list is not needed any more for winbindd to operate correctly. E.g. for plain file serving via SMB using a simple idmap setup with autorid, tdb or ad. However some more complex setups require the list, e.g. if you specify idmap backends for specific domains. Some pam_winbind setups may also require the global list. If you have a setup that doesn't require the global list, you should set "winbind scan trusted domains = no".
Clone Of:
Environment:
Last Closed: 2018-10-30 07:59:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3056 0 None None None 2018-10-30 08:01:00 UTC
Samba Project 8630 0 None None None 2019-02-19 20:00:09 UTC

Description vincent.wang 2018-01-31 05:51:13 UTC 
Description of problem:
Linux servers joined to a local Active Directory (AD) forest/domain using samba-winbind. But logins to the Linux servers failed for users who coming in from a trusted(transitive) AD forest. Also, the trusted domain user information cannot be queried on the Linux servers.

This had been fixed and working well in Samba 4.6.0 RC3 (see bug id=1403975), but now breaks again.

Version-Release number of selected component (if applicable):

Package: samba-winbind-4.7.1-5.el7.x86_64
(Packages are from RHEL 7.5 Beta release)

How reproducible:
Yes and reproducible

Steps to Reproduce:
1. Upgrade samba-winbind to 4.7.1-5
2. Clear cache and restart winbind: systemctl stop winbind; net cache flush; rm -f /var/lib/samba/*.tdb; systemctl start winbind
3. do a `id <username>` which returns "no such user", whilst when I used samba-4.6.0-RC3, it returned user and group info.

Actual results:
Trusted domain/forest user information cannot be retrieved on the Linux servers running samba-winbind 4.7.1-5. Trusted domain users logins failed.

Expected results:
`id` command can returns user info from trusted domain.
Users coming in from trusted forest/domain can successfully login .

Additional info:
This had been fixed in the past: https://bugzilla.redhat.com/show_bug.cgi?id=1403975
Current OS: Red Hat Enterprise Linux Server release 7.4 (Maipo)


Thanks 
Vincent W.
Comment 2 Andreas Schneider 2018-02-06 15:18:36 UTC 
Can you please draw a map of you forest and trusts? Also is that transitive trust one way or two way trust?

Can you also provide logs of the fail?

https://www.samba.org/~asn/reporting_samba_bugs.txt
Comment 3 vincentwang1208 2018-02-08 05:32:57 UTC 
Domain trust and relationships:

       /\                                                      /\
      /  \                                                    /  \
     /    \                                                  /    \
    /      \                                                /      \
   /        \     One way cross forest transitive trust    /        \
  /          \ <----------------------------------------- /          \
 /CUSTOMER.COM\                                          /MYDOMAIN.COM\
/______________\                                        /______________\
   \         \                                                  |
    \         \                                                 |
     \         \                                                |
      \         \                                   +-----------------------+
      /\        /\                                  | Linux Servers joined  |
     /  \      /  \                                 | to the above domain   |
    /SYD \    /ACT \                                +-----------------------+
   /______\  /______\


1. Users from MYDOMAIN.COM login onto the Linux server always successful
2. Users from CUSTOMER.COM and its sub-domains (SYD,ACT) cannot login onto the Linux servers which are joined to MYDOMAIN.COM

I'll extract the Winbind log and attache it.
Comment 4 Andreas Schneider 2018-02-08 10:48:21 UTC 
I'm sorry but one way trusts are not working with Samba yet.

There are some improvements in Samba 4.7 (install RHEL 7.5 Beta for testing) more in Samba 4.8, but it is still not fully fixed. I think we will get there with Samba 4.9.

The upstream bug is: https://bugzilla.samba.org/show_bug.cgi?id=8630

Work in Progress:
https://git.samba.org/?p=slow/samba.git;a=shortlog;h=refs/heads/trusts-ok
Comment 5 vincent.wang 2018-02-12 00:53:39 UTC 
Hi

Has tested this on RHEL7.5 Beta, still fails. 

But thanks for your updates, I totally understand the challenging interacting with MS' AD. I'll keep watching the progress of the improvements.
Comment 6 amitkuma 2018-03-21 05:53:39 UTC 
One of customer have this Query:
Is the patch going to be available for RHEL6 when the bug is resolved?
Customer is using 6.9
Comment 7 Andreas Schneider 2018-03-21 16:34:00 UTC 
No change, there are major changes to winbind to get this working correctly.
Comment 8 Andreas Schneider 2018-06-13 12:07:45 UTC 
*** Bug 1481113 has been marked as a duplicate of this bug. ***
Comment 17 errata-xmlrpc 2018-10-30 07:59:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3056
Note You need to log in before you can comment on or make changes to this bug.