[Samba] winbind between trusted domains really acting up under
3.0.28a
Jason Haar
Jason.Haar at trimble.co.nz
Tue Mar 25 01:57:15 GMT 2008
I'm starting to see some really weird things happen on a range of
Samba-3.0.28a servers installed as "security=ADS" members of a variety
of domains. This was working last time I checked (weeks ago), but
something's happened. Windows Updates tend to spring to mind more than
Samba upgrades as a cause...
On all of them, "wbinfo -t" is happy, "net ads testjoin" is happy,
"wbinfo -m" returns expected trusted domains. Looking up members of
their own domains appears 100% reliable. "allow trusted domains = Yes"
is set.
What I am seeing is that the Samba host cannot resolve AD accounts from
other trusted domains correctly anymore. "wbinfo -i dom\\username"
returns "Could not get info" instead of an answer, and there appears to
be a big disconnect with mappings between SIDS and UIDs.
e.g.
wbinfo -S S-1-5-21-725345543-602609370-839522115-10663
...returns a UID, and
wbinfo -s S-1-5-21-725345543-602609370-839522115-10663
..returns "DOM\\username", but
wbinfo -i "DOM\\username"
returns "Could not get info". So it looks like winbind has
SID->UID->name - but can't do the opposite? Also, looking at
/var/log/samba/log.wb-DOM shows
get_trust_pw_clear: could not fetch clear text trust account password
for domain DOM
[2008/03/25 01:47:19, 1]
nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)
error getting user info for sid
S-1-5-21-725345543-602609370-839522115-10663
So it looks like Samba as an ADS member in one domain is attempting to
make a clear text connection to domain controllers in another domain and
failing. Well that makes me think of two questions:
1. why does samba (as a member server) even have to know about other
domains? I would have thought it would just throw the problem at it's
local DC's to deal with?
2. why is it using clear text? I assume that's the problem. It is
compiled against Kerberos, and whatever else normally happens, so I
don't understand why it's using clear text. "testparam" shows nothing
that stands out as being behind this, and the logs show no other
errors/failures besides this.
Any ideas? This is CentOS4 systems with samba-3.0.28a. Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the samba
mailing list