Jason Haar
2008-Mar-25 01:57 UTC
[Samba] winbind between trusted domains really acting up under 3.0.28a
I'm starting to see some really weird things happen on a range of Samba-3.0.28a servers installed as "security=ADS" members of a variety of domains. This was working last time I checked (weeks ago), but something's happened. Windows Updates tend to spring to mind more than Samba upgrades as a cause... On all of them, "wbinfo -t" is happy, "net ads testjoin" is happy, "wbinfo -m" returns expected trusted domains. Looking up members of their own domains appears 100% reliable. "allow trusted domains = Yes" is set. What I am seeing is that the Samba host cannot resolve AD accounts from other trusted domains correctly anymore. "wbinfo -i dom\\username" returns "Could not get info" instead of an answer, and there appears to be a big disconnect with mappings between SIDS and UIDs. e.g. wbinfo -S S-1-5-21-725345543-602609370-839522115-10663 ...returns a UID, and wbinfo -s S-1-5-21-725345543-602609370-839522115-10663 ..returns "DOM\\username", but wbinfo -i "DOM\\username" returns "Could not get info". So it looks like winbind has SID->UID->name - but can't do the opposite? Also, looking at /var/log/samba/log.wb-DOM shows get_trust_pw_clear: could not fetch clear text trust account password for domain DOM [2008/03/25 01:47:19, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152) error getting user info for sid S-1-5-21-725345543-602609370-839522115-10663 So it looks like Samba as an ADS member in one domain is attempting to make a clear text connection to domain controllers in another domain and failing. Well that makes me think of two questions: 1. why does samba (as a member server) even have to know about other domains? I would have thought it would just throw the problem at it's local DC's to deal with? 2. why is it using clear text? I assume that's the problem. It is compiled against Kerberos, and whatever else normally happens, so I don't understand why it's using clear text. "testparam" shows nothing that stands out as being behind this, and the logs show no other errors/failures besides this. Any ideas? This is CentOS4 systems with samba-3.0.28a. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Maybe Matching Threads
- Cannot connect to Samba-3.0.23d (and earlier) from other trusted AD domains
- Vista SP1-rc1 appears to break against Samba-3.0.27a
- how to get Windows to notice unix-based delete command (inotify)
- winbind occasionally failing to find domain controllers for trusted domains
- Can Asterisk "proxy" a SIP phone to make it look like a Cisco skinny softphone?