Rik Theys
2017-May-04 13:30 UTC
[Samba] winbind errors for trusted domain (of a one-way trust)
Hi, Our AD domain "A.COM" has a one-way trust with "B.COM" with B.COM being the trusted domain. We have a samba server that is joined to A.COM on which users of B.COM need access. We have samba and winbind configured and it seems to be working correctly except for the following message that keeps on appearing in the log.wb-B logfile: [2017/05/04 14:42:53.727050, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server not found in Kerberos database] ( I've increased the log level of winbindd to 8 and it shows the following output (sensored to have the domain names replaced): [2017/05/04 13:09:53.876940, 5] ../source3/lib/messages.c:449(messaging_register) Registering messaging pointer for type 1030 - private_data=(nil) [2017/05/04 13:09:53.877003, 5] ../source3/lib/messages.c:464(messaging_register) Overriding messaging pointer for type 1030 - private_data=(nil) [2017/05/04 13:09:53.877026, 5] ../source3/lib/messages.c:449(messaging_register) Registering messaging pointer for type 1031 - private_data=(nil) [2017/05/04 13:09:53.877045, 5] ../source3/lib/messages.c:464(messaging_register) Overriding messaging pointer for type 1031 - private_data=(nil) [2017/05/04 13:09:54.028815, 5] ../source3/winbindd/winbindd_cm.c:160(msg_try_to_go_online) msg_try_to_go_online: received for domain B. [2017/05/04 13:09:54.028858, 3] ../source3/winbindd/winbindd_cm.c:2125(connection_ok) connection_ok: Connection to DC2.b.com for domain B is not connected [2017/05/04 13:09:54.028912, 5] ../source3/libsmb/namequery.c:210(saf_fetch) saf_fetch: failed to find server for "B" domain [2017/05/04 13:09:54.029028, 5] ../source3/rpc_client/cli_pipe.c:826(rpc_api_pipe_send) rpc_api_pipe: host dc1.a.com [2017/05/04 13:09:54.029070, 5] ../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu) signed SMB2 message [2017/05/04 13:09:54.029782, 5] ../source3/rpc_client/cli_pipe.c:98(rpc_read_send) rpc_read_send: data_to_read: 456 [2017/05/04 13:09:54.029841, 6] ../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer) ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0 [2017/05/04 13:09:54.029981, 5] ../source3/libads/sitename_cache.c:105(sitename_fetch) sitename_fetch: Returning sitename for A.COM: "Default-First-Site-Name" [2017/05/04 13:09:54.030009, 5] ../source3/libsmb/namecache.c:165(namecache_fetch) name DC2.b.com#20 found. [2017/05/04 13:09:54.030047, 5] ../source3/libads/sitename_cache.c:105(sitename_fetch) sitename_fetch: Returning sitename for b.com: "Default-First-Site-Name" [2017/05/04 13:09:54.030064, 4] ../source3/libsmb/namequery_dc.c:77(ads_dc_name) ads_dc_name: domain=B [2017/05/04 13:09:54.030086, 5] ../source3/libads/sitename_cache.c:105(sitename_fetch) sitename_fetch: Returning sitename for b.com: "Default-First-Site-Name" [2017/05/04 13:09:54.030101, 6] ../source3/libads/ldap.c:409(resolve_and_ping_dns) resolve_and_ping_dns: (cldap) looking for realm 'b.com' [2017/05/04 13:09:54.030118, 8] ../source3/libsmb/namequery.c:3312(get_sorted_dc_list) get_sorted_dc_list: attempting lookup for name b.com (sitename Default-First-Site-Name) [2017/05/04 13:09:54.030171, 5] ../source3/libsmb/namequery.c:210(saf_fetch) saf_fetch: failed to find server for "b.com" domain [2017/05/04 13:09:54.030198, 3] ../source3/libsmb/namequery.c:3117(get_dc_list) get_dc_list: preferred server list: ", *" [2017/05/04 13:09:54.030229, 5] ../source3/libsmb/namecache.c:165(namecache_fetch) name b.com#1C found. [2017/05/04 13:09:54.030259, 8] ../source3/libsmb/namequery.c:3139(get_dc_list) Adding 4 DC's from auto lookup [2017/05/04 13:09:54.030309, 4] ../source3/libsmb/namequery.c:3262(get_dc_list) get_dc_list: returning 4 ip addresses in an ordered list [2017/05/04 13:09:54.030331, 4] ../source3/libsmb/namequery.c:3263(get_dc_list) get_dc_list: 10.112.8.12:389 10.112.8.11:389 10.112.8.14:389 10.112.8.13:389 [2017/05/04 13:09:54.030368, 5] ../source3/libads/ldap.c:254(ads_try_connect) ads_try_connect: sending CLDAP request to 10.112.8.12 (realm: b.com) [2017/05/04 13:09:54.031655, 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted LDAP server 10.112.8.12 [2017/05/04 13:09:54.031703, 5] ../source3/libads/sitename_cache.c:105(sitename_fetch) sitename_fetch: Returning sitename for b.com: "Default-First-Site-Name" [2017/05/04 13:09:54.031743, 4] ../source3/libsmb/namequery_dc.c:151(ads_dc_name) ads_dc_name: using server='DC2.B.COM' IP=10.112.8.12 [2017/05/04 13:09:54.031775, 5] ../source3/libads/sitename_cache.c:105(sitename_fetch) sitename_fetch: Returning sitename for b.com: "Default-First-Site-Name" [2017/05/04 13:09:54.031798, 8] ../source3/libsmb/namequery.c:3312(get_sorted_dc_list) get_sorted_dc_list: attempting lookup for name b.com (sitename Default-First-Site-Name) [2017/05/04 13:09:54.031832, 5] ../source3/libsmb/namequery.c:210(saf_fetch) saf_fetch: failed to find server for "b.com" domain [2017/05/04 13:09:54.031855, 3] ../source3/libsmb/namequery.c:3117(get_dc_list) get_dc_list: preferred server list: ", *" [2017/05/04 13:09:54.031883, 5] ../source3/libsmb/namecache.c:165(namecache_fetch) name b.com#1C found. [2017/05/04 13:09:54.031916, 8] ../source3/libsmb/namequery.c:3139(get_dc_list) Adding 4 DC's from auto lookup [2017/05/04 13:09:54.031971, 4] ../source3/libsmb/namequery.c:3262(get_dc_list) get_dc_list: returning 4 ip addresses in an ordered list [2017/05/04 13:09:54.031993, 4] ../source3/libsmb/namequery.c:3263(get_dc_list) get_dc_list: 10.112.8.12:389 10.112.8.11:389 10.112.8.14:389 10.112.8.13:389 [2017/05/04 13:09:54.032061, 8] ../source3/libsmb/namequery.c:3312(get_sorted_dc_list) get_sorted_dc_list: attempting lookup for name b.com (sitename NULL) [2017/05/04 13:09:54.032095, 5] ../source3/libsmb/namequery.c:210(saf_fetch) saf_fetch: failed to find server for "b.com" domain [2017/05/04 13:09:54.032115, 3] ../source3/libsmb/namequery.c:3117(get_dc_list) get_dc_list: preferred server list: ", *" [2017/05/04 13:09:54.032162, 5] ../source3/libsmb/namecache.c:165(namecache_fetch) name b.com#1C found. [2017/05/04 13:09:54.032194, 8] ../source3/libsmb/namequery.c:3139(get_dc_list) Adding 4 DC's from auto lookup [2017/05/04 13:09:54.032243, 4] ../source3/libsmb/namequery.c:3262(get_dc_list) get_dc_list: returning 4 ip addresses in an ordered list [2017/05/04 13:09:54.032263, 4] ../source3/libsmb/namequery.c:3263(get_dc_list) get_dc_list: 10.112.8.12:389 10.112.8.11:389 10.112.8.14:389 10.112.8.13:389 [2017/05/04 13:09:54.032334, 3] ../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to 10.112.8.12 at port 445 [2017/05/04 13:09:54.034028, 5] ../source3/libads/ldap.c:254(ads_try_connect) ads_try_connect: sending CLDAP request to 10.112.8.12 (realm: b.com) [2017/05/04 13:09:54.035310, 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted LDAP server 10.112.8.12 [2017/05/04 13:09:54.035349, 5] ../source3/libsmb/namecache.c:78(namecache_store) namecache_store: storing 1 address for DC2.b.com#20: 10.112.8.12 [2017/05/04 13:09:54.038590, 3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2017/05/04 13:09:54.038800, 5] ../source3/winbindd/winbindd_cm.c:1123(cm_prepare_connection) connecting to DC2.b.com from SERVER1 with kerberos principal [SERVER1$@A.COM] and realm [b.com] [2017/05/04 13:09:54.038848, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send) Doing spnego session setup (blob length=120) [2017/05/04 13:09:54.038906, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 [2017/05/04 13:09:54.038946, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send) got principal=not_defined_in_RFC4178 at please_ignore [2017/05/04 13:09:54.038966, 3] ../source3/libsmb/cliconnect.c:1742(cli_session_setup_get_principal) cli_session_setup_spnego: using target hostname not SPNEGO principal [2017/05/04 13:09:54.038989, 3] ../source3/libsmb/cliconnect.c:1757(cli_session_setup_get_principal) cli_session_setup_spnego: guessed server principal=cifs/DC2.b.com at B.COM [2017/05/04 13:09:54.056985, 5] ../auth/gensec/gensec_start.c:680(gensec_start_mech) Starting GENSEC mechanism spnego [2017/05/04 13:09:54.057038, 5] ../auth/gensec/gensec_start.c:680(gensec_start_mech) Starting GENSEC submechanism gse_krb5 [2017/05/04 13:09:54.059067, 0] ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token) gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server not found in Kerberos database] [2017/05/04 13:09:54.059175, 1] ../auth/gensec/spnego.c:622(gensec_spnego_create_negTokenInit) SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR [2017/05/04 13:09:54.059282, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego) SPNEGO login failed: An internal error occurred. [2017/05/04 13:09:54.059317, 4] ../source3/winbindd/winbindd_cm.c:1140(cm_prepare_connection) failed kerberos session setup with NT_STATUS_INTERNAL_ERROR [2017/05/04 13:09:54.059336, 4] ../source3/winbindd/winbindd_cm.c:1191(cm_prepare_connection) authenticated session setup failed with NT_STATUS_INTERNAL_ERROR [2017/05/04 13:09:54.059627, 5] ../source3/rpc_client/cli_pipe.c:826(rpc_api_pipe_send) rpc_api_pipe: host dc1.a.com [2017/05/04 13:09:54.059686, 5] ../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu) signed SMB2 message ...>From what I can tell the samba server is trying to use a kerberos ticketfrom A.COM to access the LDAP server of a B.COM domain controller? [2017/05/04 13:09:54.038800, 5] ../source3/winbindd/winbindd_cm.c:1123(cm_prepare_connection) connecting to DC2.b.com from SERVER1 with kerberos principal [SERVER1$@A.COM] and realm [b.com] Since there is no trust in that direction, the domain controller of B.COM probably rejects that ticket. Is there a way to fix this on the samba server side? Is this related to bug 8630 in the tracker? This bug seems to be about transitive one-way trusts so I'm not sure it's related. It also hasn't seen any activity since June 2013 Regards, Rik -- Rik Theys System Engineer KU Leuven - Dept. Elektrotechniek (ESAT) Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee +32(0)16/32.11.07 ---------------------------------------------------------------- <<Any errors in spelling, tact or fact are transmission errors>>