samba - Feb 2018 - Winbind authentication from different domain not working

config smb.conf
[global]
	realm = DOMAINB
	workgroup = DOMAINB
	security = ADS
	template homedir = /home/%U
	template shell = /bin/bash
	winbind expand groups = 1
	winbind separator = +
	winbind use default domain = Yes
	idmap config domainb : range = 3000001 - 4000000
	idmap config domainb : backend = rid
	idmap config domainc : range = 2000001 - 3000000
	idmap config domainc : backend = rid
	idmap config domaina : range = 1000001 - 2000000
	idmap config domaina : backend = rid
	idmap config * : range = 1000000-199999999
	idmap config * : backend = tdb

wbinfo --online-status
BUILTIN : online
SERVER01 : online
DOMAINB : online
DOMAINA : offline 

As you can see DOMAINA is offline, if we open up the firewall it is online and
are able to logon with a user from DOMAINA on SERVER01.

> 
>> We are running winbind(4.6.2) on member server(CentOS 7) connected to
>> a Active directory domain.
>> 
>> 1 Forest with 2 domains with a 2 way trust between them.
>> 
>> 
>> We want users from “DOMAIN A” be able to logon(via SSH) on a server
>> "SERVER01" in “DOMAIN B”. This works well if the
“SERVER01" in
>> "DOMAIN B” can talk directly to “DOMAIN A” but when their is a
>> firewall between “SERVER01”  and “DOMAIN A” is doesn’t work anymore.
>> 
>> winbind tries to lookup domain controller “DOMAIN A” for user
>> validations directly. It is not using the trust and validate “DOMAIN
>> A” users via “DOMAIN B” domain controllers. 
>> 
>> The trust between the domains is working. We’ve put a windows 2008
>> machine in the same subnet. And was able to logon with a user from
>> “DOMAIN A” on the Windows server from “DOMAIN B”
>> 
>> Is their a way to inform winbind to use “DOMAIN B” to validate users
>> from “DOMAIN A” ?
>>

On Sat, 17 Feb 2018 15:31:19 +0100
"C. de Man via samba" <samba at lists.samba.org> wrote:
> config smb.conf
> [global]
> 	realm = DOMAINB
> 	workgroup = DOMAINB
> 	security = ADS
> 	template homedir = /home/%U
> 	template shell = /bin/bash
> 	winbind expand groups = 1
> 	winbind separator = +
> 	winbind use default domain = Yes
> 	idmap config domainb : range = 3000001 - 4000000
> 	idmap config domainb : backend = rid
> 	idmap config domainc : range = 2000001 - 3000000
> 	idmap config domainc : backend = rid
> 	idmap config domaina : range = 1000001 - 2000000
> 	idmap config domaina : backend = rid
> 	idmap config * : range = 1000000-199999999
> 	idmap config * : backend = tdb
> 
First thing, you cannot use 'winbind use default domain = Yes' if you
are using trusted domains.

We now come to the domain ranges, they must not overlap. Your '*' range
is set to '1000000-199999999', the domaina, domainb and domainc ranges
are all inside this range.

From what you have posted, your realm & workgroup are identical
'DOMAINB', I would have expected the realm to have been something like
'DOMAINB.TLD'

Rowland

I’ve removed the following line from smb.conf:
> 
>> winbind use default domain = Yes
> Although we are using it on a different server (who has direct access to
all DC’s from both domains).
> And we are able to logon with credentials from a different domain.
> by using "ssh -l DOMAINA+username SERVER02"
> 
>> We now come to the domain ranges, they must not overlap. Your
'*' range
>> is set to '1000000-199999999', the domaina, domainb and domainc
ranges
>> are all inside this range.
> 
> I need to look into this as this has been used all over the network.
> Not sure what the impact would be on our Samba servers who are sharing
files via SMB.
> Maybe we didn’t have issues so far as we are only doing SMB sharing in 1
domain (DOMAINA)
> 
>> From what you have posted, your realm & workgroup are identical
>> 'DOMAINB', I would have expected the realm to have been
something like
>> ‘DOMAINB.TLD'
> 
> you are correct when changing the original names I left out the TLD part
which is .INTRA -> DOMAINB.INTRA
> 
> output of the /var/log/secure log file during a failed login attempt:
> Feb 17 09:53:22 SERVER01 sshd[8671]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL (9),
NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon servers
> Feb 17 09:53:22 SERVER01 sshd[8671]: pam_winbind(sshd:auth): internal
module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = ‘DOMAINA+username')
> Permission denied, please try again.
> DOMAINA+username at SERVER01.DOMAINB.intra <mailto:DOMAINA+username at
SERVER01.DOMAINB.intra>'s password: Feb 17 09:53:24 SERVER01 sshd[8671]:
Failed password for DOMAINA+username from IP_ADDRESS port 39242 ssh2
>

On Sat, 17 Feb 2018 16:17:43 +0100
"C. de Man" <c.deman82 at gmail.com> wrote:
> I’ve removed the following line from smb.conf:
> 
> > winbind use default domain = Yes
> Although we are using it on a different server (who has direct access
> to all DC’s from both domains). And we are able to logon with
> credentials from a different domain. by using "ssh -l
> DOMAINA+username SERVER02"
> 
> > We now come to the domain ranges, they must not overlap. Your
'*'
> > range is set to '1000000-199999999', the domaina, domainb and
> > domainc ranges are all inside this range.
> 
> I need to look into this as this has been used all over the network.
> Not sure what the impact would be on our Samba servers who are
> sharing files via SMB. Maybe we didn’t have issues so far as we are
> only doing SMB sharing in 1 domain (DOMAINA)
> 
The ranges must not overlap, I think in this case, the least damage
(for want of a better word) will be done by changing the '*' domain
range to either below '1000001' or above '4000000'

Rowland

> The ranges must not overlap, I think in this case, the least damage
> (for want of a better word) will be done by changing the '*' domain
> range to either below '1000001' or above '4000000'
> 
> Rowland
> 
I think we will change the range to below 1000001 to avoid overlapping the
domains.

thanks Rowland