Oliver Freyd
2016-May-11 15:44 UTC
[Samba] winbind trusted domain regression after upgrade to samba 4.2.10
Hello, I've upgraded a classic NT4 style BDC to samba 4.2.10 (and after that to 4.2.12, but no improvement...) It was running on 4.1.17 and wbinfo -u showed a list of our users, and users of the trusted domain. running on 4.2.12 it lists only our users. on a working server: wbinfo --domain=EXAMPLE -t checking the trust secret for domain EXAMPLE via RPC calls succeeded On 4.2.12: wbinfo --domain=EXAMPLE -t checking the trust secret for domain EXAMPLE via RPC calls failed error code was NT_STATUS_RPC_PROTOCOL_ERROR (0xc002001d) failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR Could not check secret The domain controller of the trusted domain is running samba 3.5.6 This is a part of the log in loglevel 5: [2016/05/11 14:28:38.625054, 5] ../source3/rpc_client/cli_netlogon.c:190(rpccli_setup_netlogon_creds) rpccli_setup_netlogon_creds: using new netlogon_creds cli[IONTOF$/DBTEST] to FILESERVER [2016/05/11 14:28:38.629196, 5] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 2 for /var/run/samba/g_lock.tdb [2016/05/11 14:28:38.629266, 5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 2 for /var/run/samba/g_lock.tdb [2016/05/11 14:28:38.629501, 5] ../auth/gensec/gensec_start.c:672(gensec_start_mech) Starting GENSEC mechanism schannel [2016/05/11 14:28:38.629534, 5] ../source3/rpc_client/cli_pipe.c:1872(rpc_pipe_bind_send) Bind RPC Pipe: host FILESERVER auth_type 68, auth_level 5 [2016/05/11 14:28:38.629558, 5] ../source3/rpc_client/cli_pipe.c:1139(create_generic_auth_rpc_bind_req) create_generic_auth_rpc_bind_req: generate first token [2016/05/11 14:28:38.629685, 5] ../source3/rpc_client/cli_pipe.c:826(rpc_api_pipe_send) rpc_api_pipe: host FILESERVER [2016/05/11 14:28:38.632057, 5] ../source3/rpc_client/cli_pipe.c:98(rpc_read_send) rpc_read_send: data_to_read: 76 [2016/05/11 14:28:38.632134, 5] ../source3/rpc_client/cli_pipe.c:1745(check_bind_response) check_bind_response: accepted! [2016/05/11 14:28:38.632161, 0] ../source3/rpc_client/cli_pipe.c:1965(rpc_pipe_bind_step_one_done) Failed to pull dcerpc auth: NT_STATUS_RPC_PROTOCOL_ERROR. [2016/05/11 14:28:38.632249, 0] ../source3/rpc_client/cli_pipe.c:3209(cli_rpc_pipe_open_schannel_with_key) cli_rpc_pipe_open_schannel_with_key: rpc_pipe_bind failed with error NT_STATUS_RPC_PROTOCOL_ERROR [2016/05/11 14:28:38.632291, 5] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 2 for /var/run/samba/g_lock.tdb [2016/05/11 14:28:38.632344, 5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 2 for /var/run/samba/g_lock.tdb [2016/05/11 14:28:38.634387, 3] ../source3/winbindd/winbindd_cm.c:3015(cm_connect_netlogon) Could not open schannel'ed NETLOGON pipe. Error was NT_STATUS_RPC_PROTOCOL_ERROR [2016/05/11 14:28:38.636584, 3] ../source3/winbindd/winbindd_dual_srv.c:605(_wbint_CheckMachineAccount) could not open handle to NETLOGON pipe [2016/05/11 14:28:38.636625, 2] ../source3/winbindd/winbindd_dual_srv.c:618(_wbint_CheckMachineAccount) Checking the trust account password for domain EXAMPLE returned NT_STATUS_RPC_PROTOCOL_ERROR [2016/05/11 14:28:38.636691, 4] ../source3/winbindd/winbindd_dual.c:1395(child_handler) Finished processing child request 59 Actually to get this far I had to enable several options into the smb.conf (found in the release notes of samba 4.2): client ipc signing = auto This fixed net rpc trustdom list that would no more connect to our PDC (still samba 3.6.25) to list the trusted domains. Also I in the winbind logfile I found: Unwilling to make SAMR connection to domain EXAMPLEwithout connection level security, must set 'winbind sealed pipes = false' and 'require strong key = false' to proceed: NT_STATUS_DOWNGRADE_DETECTED So I added these options...but still no luck, the users of the trusted domain are gone... BTW, samba-4.2.9 is ok, wbinfo --domain=EXAMPLE -u lists the users, wbinfo -t works for both domains. Well, that's it for now, Oliver
Reasonably Related Threads
- Samba 4.2.7 - winbind very high cpu load
- net ads testjoin OK, net rpc testjoin fails
- cli_rpc_pipe_open_schannel_with_creds: rpc_pipe_bind failed with error NT_STATUS_RPC_PROTOCOL_ERROR
- Samba AD member lost domain join after reboot
- cli_rpc_pipe_open_schannel_with_creds: rpc_pipe_bind failed with error NT_STATUS_RPC_PROTOCOL_ERROR