[Samba] Winbind issue connecting to trusted domain controllers

jrmailgate-samba at yahoo.co.uk jrmailgate-samba at yahoo.co.uk
Thu Jul 23 06:12:37 MDT 2009 

Hi.

The quick question: Is there a way of forcing a Samba server that is an Active Directory member server to limit lookups to it's local domain only and not all trusted domains?

The question in more detail:

I have a Samba server that is joined to my local AD domain ("css.ad.example.com"). There are other domains under ad.example.com such as lps.ad.example.com and mat.ad.example.com within the same forest, and additional trusts setup to external domains. The problem I have is that authentication works "some" of the time and then fails for seemingly random amounts of time before working again. I've managed to reproduce this behaviour through running wbinfo numerous times in succession and monitoring the output.

Running wbinfo -t returns the following:
    checking the trust secret via RPC calls succeeded

However, running wbinfo -u returns:
    Error looking up domain users

Having done some debugging with the Samba debug level set to 10, and performing packet captures with tcpdump/wireshark, I believe the following is happening:

Winbind is obtaining a list of of trusted domains and is adding them to a list using add_trusted_domain.

    [2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
      Added domain CSS CSS.AD.EXAMPLE.COM S-1-5-21-2722945677-2571981173-1559263515
    [2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
      Added domain CENTRAL central.ad.example.com S-1-5-21-1546731521-1604605983-311576647
    [2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
      Added domain GRP grp.ad.example.com S-1-5-21-4165802252-723863699-2563104143
    [2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
      Added domain MMSC mmsc-example.com S-1-5-21-3925889671-1378681824-3250279791
    [2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
      Added domain LPS lps.ad.example.com S-1-5-21-3593956825-942678665-1239839976
    [2009/07/23 12:09:28, 2] nsswitch/winbindd_util.c:add_trusted_domain(172)
      Added domain MAT mat.ad.example.com S-1-5-21-227787951-1760200910-3128242332

The last added entry "MAT mat.ad.example.com" is then set as the domain(?):

    [2009/07/23 12:09:41, 4] libsmb/namequery_dc.c:ads_dc_name(73)
      ads_dc_name: domain=MAT

Winbind then attempts to get a list of all the domain controllers:

    [2009/07/23 12:09:41, 3] libsmb/namequery.c:get_dc_list(1495)
      get_dc_list: preferred server list: ", *"

Winbind attempts to locate the LDAP server in the MAT domain, but fails:

    [2009/07/23 12:10:01, 3] libads/dns.c:dns_send_req(303)
      ads_dns_lookup_srv: Failed to resolve _ldap._tcp.dc._msdcs.mat.ad.example.com (Connection timed out)
    [2009/07/23 12:10:01, 3] libads/dns.c:ads_dns_lookup_srv(363)
      ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_IO_TIMEOUT)
    [2009/07/23 12:10:01, 4] libsmb/namequery.c:get_dc_list(1522)
      get_dc_list: no servers found

Having failed to obtain the LDAP address by DNS, Winbind then tries to resolve the address using lmhosts and WINS. Both fail because although the trusts are in place, the Samba server does not have network access to the MAT domain. After Winbind exhausts the various options of resolving the MAT domain, it then attempts the same with the LPS domain. LPS was the entry added immediately before MAT so it appears to be traversing the list of trusted :

    [2009/07/23 12:10:24, 4] libsmb/namequery_dc.c:ads_dc_name(73)
      ads_dc_name: domain=LPS
    [2009/07/23 12:10:24, 3] libsmb/namequery.c:get_dc_list(1495)
      get_dc_list: preferred server list: ", *"
    [2009/07/23 12:10:24, 4] libsmb/namequery.c:get_dc_list(1605)
      get_dc_list: returning 21 ip addresses in an ordered list
    [2009/07/23 12:10:24, 4] libsmb/namequery.c:get_dc_list(1606)
      get_dc_list: 10.236.113.22:389 10.236.62.21:389 10.236.30.22:389 10.236.100.22:389 10.236.94.21:389 10.236.92.21:389 10.236.114.22:389 10.91.160.41:389 10.236.113.21:389 10.236.114.21:389 10.91.160.40:389          10.236.94.22:389 10.236.92.22:389 10.236.112.22:389 10.236.112.21:389 10.154.110.21:389 10.154.110.22:389 10.91.157.132:389 10.236.62.22:389 10.236.30.21:389 10.236.100.21:389

In Wireshark, I can see this request being made by the NetrGetAnyDCName call and the response from a local domain controller, but the contents of the packet are encrypted. This time the IP addresses for the domain controllers on the LPS domain are returned (so presumably the local domain controller Winbind is querying at this point knows about the LPS domain controllers). 

Winbind then attempts to connect to the first IP address in the list (10.236.113.22):

    [2009/07/23 12:10:31, 3] libads/ldap.c:ads_try_connect(189)
      ads_try_connect: CLDAP request 10.236.113.22 failed.

This fails so it tries the second in the list and so on. None of these addresses will work as the Samba server is unable to connect to these external DCs due to the network configuration. Partway through this process wbinfo times out and errors. Windbind continues to work through the list of trusted domains until it eventually reaches the first domain "CSS" (of which the Samba server is a member), at which point everything springs into life:

    [2009/07/23 12:53:54, 4] libsmb/namequery_dc.c:ads_dc_name(73)
      ads_dc_name: domain=CSS
    [2009/07/23 12:53:54, 3] libsmb/namequery.c:get_dc_list(1495)
      get_dc_list: preferred server list: "mancssdc01.css.ad.example.com, *"
    [2009/07/23 12:53:54, 4] libsmb/namequery.c:get_dc_list(1605)
      get_dc_list: returning 3 ip addresses in an ordered list
    [2009/07/23 12:53:54, 4] libsmb/namequery.c:get_dc_list(1606)
      get_dc_list: 10.1.10.120:389 10.1.10.123:389 10.1.10.121:389
    [2009/07/23 12:53:54, 3] libads/ldap.c:ads_connect(394)
      Connected to LDAP server 10.1.10.120
    [2009/07/23 12:53:54, 3] libsmb/namequery.c:get_dc_list(1495)
      get_dc_list: preferred server list: "mancssdc01.css.ad.example.com, *"
    [2009/07/23 12:53:54, 4] libsmb/namequery.c:get_dc_list(1605)
      get_dc_list: returning 3 ip addresses in an ordered list
    [2009/07/23 12:53:54, 4] libsmb/namequery.c:get_dc_list(1606)
      get_dc_list: 10.1.10.120:389 10.1.10.123:389 10.1.10.121:389
    [2009/07/23 12:53:54, 3] libsmb/namequery.c:get_dc_list(1495)
      get_dc_list: preferred server list: "mancssdc01.css.ad.example.com, *"
    [2009/07/23 12:53:54, 4] libsmb/namequery.c:get_dc_list(1605)
      get_dc_list: returning 3 ip addresses in an ordered list
    [2009/07/23 12:53:54, 4] libsmb/namequery.c:get_dc_list(1606)
      get_dc_list: 10.1.10.120:389 10.1.10.123:389 10.1.10.121:389
    [2009/07/23 12:53:54, 4] libsmb/namequery_dc.c:ads_dc_name(139)
      ads_dc_name: using server='MANCSSDC01.CSS.AD.EXAMPLE.COM' IP=10.1.10.120

This works correctly for a short while, wbinfo -u and wbinfo -g both return the correct results. But then Winbind goes back through the list of domains and everything stops working again.

So, is there a way I can specify that winbind only uses the CSS domain and does not try and connect to the other trusted domains?

I'm running CentOS 5.3 with Samba 3.0.33-3.7.el5 with the following smb.conf:

[global]
        workgroup = CSS
        realm = CSS.AD.EXAMPLE.COM
        server string = Samba Server Version %v
        security = ADS
        passdb backend = tdbsam
        preferred master = No
        winbind use default domain = Yes

Any help much appreciated!!!

Thanks

Julian

More information about the samba mailing list