This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 429024 - After establish trust with AD, wbinfo -u does not work
After establish trust with AD, wbinfo -u does not work
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba (Show other bugs)
5.1
All Linux
medium Severity low
: rc
: ---
Assigned To: Simo Sorce
:
Depends On:
Blocks: 431710
  Show dependency treegraph
 
Reported: 2008-01-16 16:02 EST by Lin Li
Modified: 2008-05-21 13:26 EDT (History)
5 users (show)

See Also:
Fixed In Version: RHBA-2008-0372
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 13:26:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
winbind log (1.58 KB, text/plain)
2008-01-16 16:02 EST, Lin Li
no flags Details
samba config file (1.48 KB, application/octet-stream)
2008-01-16 16:05 EST, Lin Li
no flags Details
winbind log on level 10 (179.61 KB, text/plain)
2008-01-16 16:57 EST, Lin Li
no flags Details
wb-LINR51VD1 log on level 10 (166.40 KB, text/plain)
2008-01-16 16:58 EST, Lin Li
no flags Details
Do not use schannel against trusted domains (1.48 KB, patch)
2008-01-17 11:03 EST, Simo Sorce
no flags Details | Diff
Get the right password (1.29 KB, patch)
2008-01-17 11:04 EST, Simo Sorce
no flags Details | Diff
winbindd log after patch (91.32 KB, text/plain)
2008-01-18 15:34 EST, Lin Li
no flags Details
wb-LINR51VD1 log after patch (90.57 KB, text/plain)
2008-01-18 15:35 EST, Lin Li
no flags Details
New patch to fix the problem (1.44 KB, patch)
2008-01-30 16:42 EST, Simo Sorce
no flags Details | Diff
new log winbindd.log (98.82 KB, text/plain)
2008-01-31 14:18 EST, Lin Li
no flags Details
new log wb-LINR51VD1.log (221.93 KB, text/plain)
2008-01-31 14:19 EST, Lin Li
no flags Details
log after upgrade to 3.0.28 (163.97 KB, text/plain)
2008-02-19 13:58 EST, Lin Li
no flags Details
Patches to fix some issues still open with trusts (4.31 KB, patch)
2008-04-01 15:24 EDT, Simo Sorce
no flags Details | Diff
fix idmap with legacy conf, and pam_winbindd on DC vs trusted domains (3.67 KB, patch)
2008-04-02 17:53 EDT, Simo Sorce
no flags Details | Diff

  None (edit)
Description Lin Li 2008-01-16 16:02:31 EST
Description of problem:
Setup a samba pdc on rhel5.1 with samba-3.0.25b-0.el5.4, establish a two way
trust with a windows 2003 Avtive Directory domain. Run "wbinfo -u" to get trust
domain users and it failed.

Here is the output
[root@linr5164vs1 ~]# wbinfo -m
WINQANET2
[root@linr5164vs1 ~]# wbinfo -u
Error looking up domain users
Comment 1 Lin Li 2008-01-16 16:02:31 EST
Created attachment 291892 [details]
winbind log
Comment 2 Lin Li 2008-01-16 16:05:56 EST
Created attachment 291893 [details]
samba config file
Comment 3 Simo Sorce 2008-01-16 16:38:48 EST
Can you raise the debug level to 10 and provide the other winbindd log files too ?
wb-<domain>.log etc..
Comment 4 Lin Li 2008-01-16 16:57:45 EST
Created attachment 291897 [details]
winbind log on level 10
Comment 5 Lin Li 2008-01-16 16:58:58 EST
Created attachment 291898 [details]
wb-LINR51VD1 log on level 10
Comment 6 Simo Sorce 2008-01-17 11:03:32 EST
Created attachment 292014 [details]
Do not use schannel against trusted domains
Comment 7 Simo Sorce 2008-01-17 11:04:07 EST
Created attachment 292015 [details]
Get the right password
Comment 8 Simo Sorce 2008-01-17 11:05:02 EST
The 2 attached patches from post 3.0.28 upstream may solve this specific bug.
Comment 9 RHEL Product and Program Management 2008-01-17 11:06:05 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 13 Lin Li 2008-01-18 15:34:30 EST
Created attachment 292202 [details]
winbindd log after patch

After apply the two patches, it still does not work.
Comment 14 Lin Li 2008-01-18 15:35:12 EST
Created attachment 292203 [details]
wb-LINR51VD1 log after patch
Comment 15 Simo Sorce 2008-01-18 16:14:22 EST
Lin, I have reproduced it here, I have a samba version that works, trying to
find out the differences and produce a patch with the minimum changes necessary
Comment 16 Simo Sorce 2008-01-30 16:42:05 EST
Created attachment 293489 [details]
New patch to fix the problem

This patch is working for me against v3-0-test upstream.
It should fix the problem for 3.0.25 too.
Comment 17 Simo Sorce 2008-01-30 16:43:16 EST
Lin can you check if the patch I just attached fixes the problem for you ?
Comment 18 Lin Li 2008-01-31 11:50:41 EST
This new patch does not work on my test system. I'm going to set up a clean
system to test the patch and generate logs.
Comment 19 Lin Li 2008-01-31 14:18:39 EST
Created attachment 293625 [details]
new log winbindd.log
Comment 20 Lin Li 2008-01-31 14:19:18 EST
Created attachment 293626 [details]
new log wb-LINR51VD1.log
Comment 21 Simo Sorce 2008-01-31 14:38:16 EST
Upstream v3-0-test + the above patch works, I have backported a few patches (+
the one I attached here) that makes 3.0.28 works for me in this situation.

I am preparing packages for testing, will let you know when they are done.
Comment 22 Simo Sorce 2008-02-18 09:36:38 EST
Lin
if you can tell me what arch you are on I can post on my people page some
packages for testing that should fix this issue.
Comment 23 Lin Li 2008-02-19 10:23:29 EST
I'm running a vmware for amd 64bit system.
Comment 24 Lin Li 2008-02-19 13:58:12 EST
Created attachment 295318 [details]
log after upgrade to 3.0.28

After upgrade to 3.0.28, It still failed. This time it is a different problem.
It seems trying to find the dc for domain winqanet2.com instead of winqanet2
and failed.
Comment 25 Simo Sorce 2008-02-19 14:22:59 EST
A quick read at the logs suggest that it is your w2k3r2 server that believes the
DNS domain name is winqanet2.com
Certainly samba has no logic to alter a domain name.

I think this latter error is some DNS/Windows misconfiguration, and is not
related to the original bug which was confirmed.

In our tests so far we reproduced the original issue and successfully solved it
with the packages we are beta testing.


Comment 26 Lin Li 2008-02-19 14:34:27 EST
It is a DNS problem. After I configured to use the correct DNS server, it works.
Comment 28 Orion Poplawski 2008-02-28 13:08:08 EST
Would it be possible to get copies of the updated packages?  Thanks!
Comment 29 Simo Sorce 2008-02-28 15:27:37 EST
I've put some tets packages on my people.redhat.com page, packages will be
available in the 5.2 beta channels when the beta starts.
Comment 30 Simo Sorce 2008-04-01 15:19:58 EDT
Turned out this bug was not fixed in all conditions and that dirty caches may
change the behavior when testing. We were still able to reproduce transitory
problems when restarting all services with clean caches.
Comment 31 Simo Sorce 2008-04-01 15:24:06 EDT
Created attachment 299950 [details]
Patches to fix some issues still open with trusts

These patches are necessary for trusts to properly work immediately on clean
restarts and empty caches.
Comment 34 Simo Sorce 2008-04-02 17:53:14 EDT
Created attachment 300141 [details]
fix idmap with legacy conf, and pam_winbindd on DC vs trusted domains

All the patches so far fixed winbindd auth using wbinfo -a but didn't address a
problem with pam_winbindd which used to try to fetch password policies from the
trusted domain before allowing the user to login.
Pw policies cannot be fetched from trusted domains, this patch fixes that.
Also fixed a regression in idmap code that failed to set up a default idmap
domain using the old compatibility smb.conf syntax
Comment 37 errata-xmlrpc 2008-05-21 13:26:52 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0372.html

Note You need to log in before you can comment on or make changes to this bug.