Bug 429024 - After establish trust with AD, wbinfo -u does not work
Summary: After establish trust with AD, wbinfo -u does not work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba
Version: 5.1
Hardware: All
OS: Linux
medium
low
Target Milestone: rc
: ---
Assignee: Simo Sorce
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 431710
TreeView+ depends on / blocked
 
Reported: 2008-01-16 21:02 UTC by Lin Li
Modified: 2008-05-21 17:26 UTC (History)
5 users (show)

Fixed In Version: RHBA-2008-0372
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-21 17:26:52 UTC


Attachments (Terms of Use)
winbind log (1.58 KB, text/plain)
2008-01-16 21:02 UTC, Lin Li
no flags Details
samba config file (1.48 KB, application/octet-stream)
2008-01-16 21:05 UTC, Lin Li
no flags Details
winbind log on level 10 (179.61 KB, text/plain)
2008-01-16 21:57 UTC, Lin Li
no flags Details
wb-LINR51VD1 log on level 10 (166.40 KB, text/plain)
2008-01-16 21:58 UTC, Lin Li
no flags Details
Do not use schannel against trusted domains (1.48 KB, patch)
2008-01-17 16:03 UTC, Simo Sorce
no flags Details | Diff
Get the right password (1.29 KB, patch)
2008-01-17 16:04 UTC, Simo Sorce
no flags Details | Diff
winbindd log after patch (91.32 KB, text/plain)
2008-01-18 20:34 UTC, Lin Li
no flags Details
wb-LINR51VD1 log after patch (90.57 KB, text/plain)
2008-01-18 20:35 UTC, Lin Li
no flags Details
New patch to fix the problem (1.44 KB, patch)
2008-01-30 21:42 UTC, Simo Sorce
no flags Details | Diff
new log winbindd.log (98.82 KB, text/plain)
2008-01-31 19:18 UTC, Lin Li
no flags Details
new log wb-LINR51VD1.log (221.93 KB, text/plain)
2008-01-31 19:19 UTC, Lin Li
no flags Details
log after upgrade to 3.0.28 (163.97 KB, text/plain)
2008-02-19 18:58 UTC, Lin Li
no flags Details
Patches to fix some issues still open with trusts (4.31 KB, patch)
2008-04-01 19:24 UTC, Simo Sorce
no flags Details | Diff
fix idmap with legacy conf, and pam_winbindd on DC vs trusted domains (3.67 KB, patch)
2008-04-02 21:53 UTC, Simo Sorce
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0372 normal SHIPPED_LIVE samba bug fix and enhancement update 2008-05-20 13:35:36 UTC

Description Lin Li 2008-01-16 21:02:31 UTC
Description of problem:
Setup a samba pdc on rhel5.1 with samba-3.0.25b-0.el5.4, establish a two way
trust with a windows 2003 Avtive Directory domain. Run "wbinfo -u" to get trust
domain users and it failed.

Here is the output
[root@linr5164vs1 ~]# wbinfo -m
WINQANET2
[root@linr5164vs1 ~]# wbinfo -u
Error looking up domain users

Comment 1 Lin Li 2008-01-16 21:02:31 UTC
Created attachment 291892 [details]
winbind log

Comment 2 Lin Li 2008-01-16 21:05:56 UTC
Created attachment 291893 [details]
samba config file

Comment 3 Simo Sorce 2008-01-16 21:38:48 UTC
Can you raise the debug level to 10 and provide the other winbindd log files too ?
wb-<domain>.log etc..

Comment 4 Lin Li 2008-01-16 21:57:45 UTC
Created attachment 291897 [details]
winbind log on level 10

Comment 5 Lin Li 2008-01-16 21:58:58 UTC
Created attachment 291898 [details]
wb-LINR51VD1 log on level 10

Comment 6 Simo Sorce 2008-01-17 16:03:32 UTC
Created attachment 292014 [details]
Do not use schannel against trusted domains

Comment 7 Simo Sorce 2008-01-17 16:04:07 UTC
Created attachment 292015 [details]
Get the right password

Comment 8 Simo Sorce 2008-01-17 16:05:02 UTC
The 2 attached patches from post 3.0.28 upstream may solve this specific bug.

Comment 9 RHEL Product and Program Management 2008-01-17 16:06:05 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 13 Lin Li 2008-01-18 20:34:30 UTC
Created attachment 292202 [details]
winbindd log after patch

After apply the two patches, it still does not work.

Comment 14 Lin Li 2008-01-18 20:35:12 UTC
Created attachment 292203 [details]
wb-LINR51VD1 log after patch

Comment 15 Simo Sorce 2008-01-18 21:14:22 UTC
Lin, I have reproduced it here, I have a samba version that works, trying to
find out the differences and produce a patch with the minimum changes necessary

Comment 16 Simo Sorce 2008-01-30 21:42:05 UTC
Created attachment 293489 [details]
New patch to fix the problem

This patch is working for me against v3-0-test upstream.
It should fix the problem for 3.0.25 too.

Comment 17 Simo Sorce 2008-01-30 21:43:16 UTC
Lin can you check if the patch I just attached fixes the problem for you ?

Comment 18 Lin Li 2008-01-31 16:50:41 UTC
This new patch does not work on my test system. I'm going to set up a clean
system to test the patch and generate logs.

Comment 19 Lin Li 2008-01-31 19:18:39 UTC
Created attachment 293625 [details]
new log winbindd.log

Comment 20 Lin Li 2008-01-31 19:19:18 UTC
Created attachment 293626 [details]
new log wb-LINR51VD1.log

Comment 21 Simo Sorce 2008-01-31 19:38:16 UTC
Upstream v3-0-test + the above patch works, I have backported a few patches (+
the one I attached here) that makes 3.0.28 works for me in this situation.

I am preparing packages for testing, will let you know when they are done.

Comment 22 Simo Sorce 2008-02-18 14:36:38 UTC
Lin
if you can tell me what arch you are on I can post on my people page some
packages for testing that should fix this issue.

Comment 23 Lin Li 2008-02-19 15:23:29 UTC
I'm running a vmware for amd 64bit system.

Comment 24 Lin Li 2008-02-19 18:58:12 UTC
Created attachment 295318 [details]
log after upgrade to 3.0.28

After upgrade to 3.0.28, It still failed. This time it is a different problem.
It seems trying to find the dc for domain winqanet2.com instead of winqanet2
and failed.

Comment 25 Simo Sorce 2008-02-19 19:22:59 UTC
A quick read at the logs suggest that it is your w2k3r2 server that believes the
DNS domain name is winqanet2.com
Certainly samba has no logic to alter a domain name.

I think this latter error is some DNS/Windows misconfiguration, and is not
related to the original bug which was confirmed.

In our tests so far we reproduced the original issue and successfully solved it
with the packages we are beta testing.




Comment 26 Lin Li 2008-02-19 19:34:27 UTC
It is a DNS problem. After I configured to use the correct DNS server, it works.

Comment 28 Orion Poplawski 2008-02-28 18:08:08 UTC
Would it be possible to get copies of the updated packages?  Thanks!

Comment 29 Simo Sorce 2008-02-28 20:27:37 UTC
I've put some tets packages on my people.redhat.com page, packages will be
available in the 5.2 beta channels when the beta starts.

Comment 30 Simo Sorce 2008-04-01 19:19:58 UTC
Turned out this bug was not fixed in all conditions and that dirty caches may
change the behavior when testing. We were still able to reproduce transitory
problems when restarting all services with clean caches.

Comment 31 Simo Sorce 2008-04-01 19:24:06 UTC
Created attachment 299950 [details]
Patches to fix some issues still open with trusts

These patches are necessary for trusts to properly work immediately on clean
restarts and empty caches.

Comment 34 Simo Sorce 2008-04-02 21:53:14 UTC
Created attachment 300141 [details]
fix idmap with legacy conf, and pam_winbindd on DC vs trusted domains

All the patches so far fixed winbindd auth using wbinfo -a but didn't address a
problem with pam_winbindd which used to try to fetch password policies from the
trusted domain before allowing the user to login.
Pw policies cannot be fetched from trusted domains, this patch fixes that.
Also fixed a regression in idmap code that failed to set up a default idmap
domain using the old compatibility smb.conf syntax

Comment 37 errata-xmlrpc 2008-05-21 17:26:52 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0372.html



Note You need to log in before you can comment on or make changes to this bug.