Having issues with trusted domain scan if the primary domain is a tree-root but not the forest root.

Hemanth Thummala hemanth.thummala at nutanix.com
Wed Jan 30 17:36:53 UTC 2019

Thanks Volker and Metz, for your responses.

> Yes, avoiding the scan at all is the future!
Good to know. Will be very interested to see how the trusted domain authentication flow will be with this change. However, we need to fix this issue as we got into it from the field. I am also trying to reproduce it locally and wanted to try with forest_root_scan(). Hope it will not be going into endless loop.

@Stefan Metzmacher, We have this patch applied already on our stack.


On 1/30/19, 1:46 AM, "Stefan Metzmacher" <metze at samba.org> wrote:

    Hi Hemanth,
    >> We were debugging an issue related to trusted domain scan. Samba
    >> file server is joined to a domain which is a tree root in the
    >> forest, but not the forest root. We have few forest trusts
    >> established at forest root level. When we try to scan the trusted
    >> domains, we were able to get all the domains with in the forest of
    >> our primary domain but nothing from other forests.
    > The fact alone that we scan trusted domains is a bug. This bug is on
    > it's way to be fixed. There have been some significant fixes in
    > winbind remove this dependency. In Samba 4.8 you have the "winbind
    > scan trusted domains" option which will be defaulted to "no" soon.
    > Please try with 4.8 and setting that to off. Your case might be a very
    > good testcase for this option, and we will deeply look at the bugs you
    > see when setting it to "no".
    Yes, avoiding the scan at all is the future!
    I'm not 100% it's related but you may want to look at
    commit 525752e06e7e73bfe1e9e7b80ad9f11d45befe5c
    Author:     Stefan Metzmacher <metze at samba.org>
    AuthorDate: Thu Mar 2 08:13:57 2017 +0100
    Commit:     Stefan Metzmacher <metze at samba.org>
    CommitDate: Mon Mar 6 19:40:23 2017 +0100
        s3:winbindd: fix endless forest trust scan
        Commit 0392ebcd1d48e9f472f2148b85316a77d9cc953b effectively
        disabled the enumeration of trusts in other forests.
        The fixes for https://bugzilla.samba.org/show_bug.cgi?id=11691
        changed the way we fill domain->domain_flags for domains
        in other forests.
        Commit fffefe72fcc62d9688b45f53a5327667dc0b2fe6 readded the
        ability to enumerate trusts of other forests again, in order to
        fix https://bugzilla.samba.org/show_bug.cgi?id=11830
        Now we have the problem that multiple domains
        (even outside of our forest) are considert to be
        our forest root, as they have the following flags:
        BUG: https://bugzilla.samba.org/show_bug.cgi?id=12605
        Signed-off-by: Stefan Metzmacher <metze at samba.org>
        Reviewed-by: Ralph Boehme <slow at samba.org>
        Autobuild-User(master): Ralph Böhme <slow at samba.org>
        Autobuild-Date(master): Thu Mar  2 17:53:14 CET 2017 on sn-devel-144
        (cherry picked from commit f9aaddcdd8f9ea648c9c5ea804f56ee3ff6c4c67)

More information about the samba-technical mailing list