[Samba] winbind between trusted domains really acting up under 3.0.28a

Jason Haar Jason.Haar at trimble.co.nz
Tue Mar 25 01:57:15 GMT 2008


I'm starting to see some really weird things happen on a range of 
Samba-3.0.28a servers installed as "security=ADS" members of a variety 
of domains. This was working last time I checked (weeks ago), but 
something's happened. Windows Updates tend to spring to mind more than 
Samba upgrades as a cause...

On all of them, "wbinfo -t" is happy, "net ads testjoin" is happy, 
"wbinfo -m" returns expected trusted domains. Looking up members of 
their own domains appears 100% reliable. "allow trusted domains = Yes" 
is set.

What I am seeing is that the Samba host cannot resolve AD accounts from 
other trusted domains correctly anymore. "wbinfo -i dom\\username" 
returns "Could not get info" instead of an answer, and there appears to 
be a big disconnect with mappings between SIDS and UIDs.

e.g.
wbinfo -S S-1-5-21-725345543-602609370-839522115-10663
...returns a UID, and
wbinfo -s S-1-5-21-725345543-602609370-839522115-10663
..returns "DOM\\username", but

wbinfo -i "DOM\\username"

returns "Could not get info". So it looks like winbind has 
SID->UID->name - but can't do the opposite? Also, looking at 
/var/log/samba/log.wb-DOM shows

get_trust_pw_clear: could not fetch clear text trust account password 
for domain DOM
[2008/03/25 01:47:19, 1] 
nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)
  error getting user info for sid 
S-1-5-21-725345543-602609370-839522115-10663



So it looks like Samba as an ADS member in one domain is attempting to 
make a clear text connection to domain controllers in another domain and 
failing. Well that makes me think of two questions:

1. why does samba (as a member server) even have to know about other 
domains? I would have thought it would just throw the problem at it's 
local DC's to deal with?
2. why is it using clear text? I assume that's the problem. It is 
compiled against Kerberos, and whatever else normally happens, so I 
don't understand why it's using clear text. "testparam" shows nothing 
that stands out as being behind this, and the logs show no other 
errors/failures besides this.

Any ideas? This is CentOS4 systems with samba-3.0.28a. Thanks!
 

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



More information about the samba mailing list