Hi list,
This is my domain enviroment and all DC are windows 2008r2
http://i.imgur.com/8cNOtm2.jpeg
When I used samba-4.0.5, I join my box to domain "HC1" , I got
trusted
domain "CHILD2" in "wbinfo -m".
[/share/Public] # wbinfo -m
BUILTIN
MYBOX
HC1
CHILD1
TREEROOT
HC2
CHILD2
Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m".
[/share/Public] # wbinfo -m
BUILTIN
MYBOX
HC1
CHILD1
TREEROOT
HC2
In log.wb-HC2 , I found following message:
[2016/07/26 12:02:03.981949, 5, pid=15758, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains)
trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
(NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2016/07/26 12:02:03.981962, 3, pid=15758, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains)
winbindd_dual_list_trusted_domains: trusted_domains returned
NT_STATUS_UNSUCCESSFUL
[2016/07/26 12:02:03.981971, 4, pid=15758, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler)
I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4:
samba-4.0.5:
http://i.imgur.com/ytr7oMt.jpeg
samba-4.4.4:
http://i.imgur.com/f5bYOeo.jpeg
samba-4.4.4 did not send "create netlogon" , "netlogon
binding" and
DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo
-m".
I tried to use patch in
https://bugzilla.samba.org/show_bug.cgi?id=11830
After using this patch, samba-4.4.4 can send "create netlogon" and
"netlogon binding" but failed in NetrServerAuthenticate3.
http://i.imgur.com/vI6eB5R.jpeg
And I got these message in log.wb-HC2:
2016/07/27 16:25:50.602158, 1, pid=18689, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport)
rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON
credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT
[2016/07/27 16:25:50.602169, 5, pid=18689, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains)
trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
(NT_STATUS_NO_TRUST_SAM_ACCOUNT)
[2016/07/27 16:25:50.602182, 3, pid=18689, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains)
ads: trusted_domains
[/usr/local/samba/var] # cat /etc/config/smb.conf
[global]
client schannel = false
server schannel = false
client ipc signing = false
client signing = false
server signing = false
winbind sealed pipes = false
require strong key = false
passdb backend = smbpasswd
workgroup = HC1
security = ADS
server string encrypt passwords = Yes
username level = 0
map to guest = Bad User
null passwords = yes
max log size = 102400
socket options = TCP_NODELAY SO_KEEPALIVE
os level = 20
preferred master = no
dns proxy = No
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = no
load printers=yes
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash
Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at
__desc/:2e*/
delete veto files = yes
map archive = no
map system = no
map hidden = no
map read only = no
deadtime = 10
server role = auto
use sendfile = yes
unix extensions = no
store dos attributes = yes
client ntlmv2 auth = yes
dos filetime resolution = no
wide links = yes
force unknown acl user = yes
template homedir = /share/homes/DOMAIN=%D/%U
inherit acls = no
domain logons = no
min receivefile size = 256
case sensitive = auto
domain master = auto
local master = no
enhance acl v1 = yes
remove everyone = no
conn log = no
kernel oplocks = no
max protocol = SMB2_02
lock directory = /share/CACHEDEV1_DATA/.samba/lock
state directory = /share/CACHEDEV1_DATA/.samba/state
cache directory = /share/CACHEDEV1_DATA/.samba/cache
printcap cache time = 0
acl allow execute always = yes
vfs objects = shadow_copy2 aio_pthread
aio read size = 1
aio write size = 0
pid directory = /var/lock
printcap name=/etc/printcap
printing=cups
show add printer wizard=no
realm = hc1.com
ldap timeout = 5
password server = HOST223.hc1.com
pam password change = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 1
idmap config * : backend = tdb
idmap config * : range = 400001-500000
idmap config HC1 : backend = rid
idmap config HC1 : range = 10000001-20000000
idmap config CHILD1 : backend = rid
idmap config CHILD1 : range = 30000001-40000000
idmap config TREEROOT : backend = rid
idmap config TREEROOT : range = 40000001-50000000
idmap config HC2 : backend = rid
idmap config HC2 : range = 50000001-60000000
idmap config CHILD2 : backend = rid
idmap config CHILD2 : range = 60000001-70000000
I also tried to use samba-4.2.x and added "require strong key = no"
"winbind sealed pipes = false" in smb.conf.
These options worked, "wbinfo -m" could get child2 domain.
Next, I tried to use samba-4.3.x and samba-4.4.x ,
but "require strong key = no" and "winbind sealed pipes =
false" did not
help to list child domain under hc2.com.
I traced code and found some netlogon functions only use schannel in
samba-4.3.x and samba-4.4.x.
I modified code (source3/winbindd_cm.c), let cm_connect_netlogon_transport
can use no_schannel just like samba-4.2.x.
Now "wbinfo -m" can list child2 domain under hc2.com in samba-4.4.x
but I
am not sure if no_schannel path conforms with current SMB, samba or active
domain spec.
Finally, I tried to use windows 2008r2 as my client and joined to domain.
It was a pure windows enviroment.
Run "netdom query /d:hc.com TRUST" in cmd line, I also could not get
child2
domain under hc2.com.
http://i.imgur.com/CtKE9Qb.jpeg
When I created a shared folder, I still could not choose child2 domain
under hc2.com...
http://i.imgur.com/K5pJaHE.jpeg
But I could input child2 domain account directly and it worked, it is so
weird... why???
http://i.imgur.com/CBx906S.jpeg
My questions now are:
1. why dose not current samba use no_schannl path ?
2. No matrer "netdom query /d:hc.com TRUST" in windows client or
"wbinfo
-m" in samba-4.4.x , why can't I get child2 domain in trust domain list
?
