[Samba] Lost trusted domain in samba-4.4.4
hy wu
wuhysmb at gmail.com
Tue Aug 16 07:03:12 UTC 2016
Hi,
I tried to use samba-4.2.x and added "require strong key = no" "winbind
sealed pipes = false" in smb.conf.
Then options worked, "wbinfo -m" could list child2 domain under hc2.com.
Next, I tried to use samba-4.3.x and samba-4.4.x ,
but "require strong key = no" "winbind sealed pipes = false" did not help
to list child domain under hc2.com.
I traced code and found some netlogon functions only use schannel in
samba-4.3.x and samba-4.4.x.
I modified code (source3/winbindd_cm.c), let cm_connect_netlogon_transport
can use no_schannel just like samba-4.2.x.
Now "wbinfo -m" can list child2 domain under hc2.com in samba-4.4.x but I
am not sure if no_schannel path conforms with current SMB spec.
Finally, I tried to use windows 2008r2 as my client and joined to domain.
It was a pure windows enviroment.
Run "netdom query /d:hc.com TRUST" in cmd line, I also could not get child
domain under hc2.com.
http://i.imgur.com/CtKE9Qb.jpeg
When I created a shared folder, I still could not choose child2 domain
under hc2.com...
http://i.imgur.com/K5pJaHE.jpeg
But I could input child2 domain account directly and it worked, it is so
weird... why???
http://i.imgur.com/CBx906S.jpeg
My questions now are:
1. why dose not current samba use no_schannl path ?
2. No matrer "netdom query /d:hc.com TRUST" in windows client or "wbinfo
-m" in samba-4.4.x , why can't I get child domain in trust domain list ?
2016-07-27 19:13 GMT+08:00 Rowland penny <rpenny at samba.org>:
> On 27/07/16 10:33, hy wu wrote:
>
>>
>> Here is my smb.conf:
>>
>> [/usr/local/samba/var] # cat /etc/config/smb.conf
>> [global]
>>
>> client schannel = false
>> server schannel = false
>> client ipc signing = false
>> client signing = false
>> server signing = false
>> winbind sealed pipes = false
>> require strong key = false
>>
>> passdb backend = smbpasswd
>> workgroup = HC1
>> security = ADS
>> server string =
>> encrypt passwords = Yes
>> username level = 0
>> map to guest = Bad User
>> null passwords = yes
>> max log size = 102400
>> socket options = TCP_NODELAY SO_KEEPALIVE
>> os level = 20
>> preferred master = no
>> dns proxy = No
>> smb passwd file=/etc/config/smbpasswd
>> username map = /etc/config/smbusers
>> guest account = guest
>> directory mask = 0777
>> create mask = 0777
>> oplocks = yes
>> locking = yes
>> disable spoolss = no
>> load printers=yes
>> veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network
>> Trash Folder/Temporary Items/TheVolumeSettingsFolder/
>> . at __thumb/. at __desc/:2e*/
>> delete veto files = yes
>> map archive = no
>> map system = no
>> map hidden = no
>> map read only = no
>> deadtime = 10
>> server role = auto
>> use sendfile = yes
>> unix extensions = no
>> store dos attributes = yes
>> client ntlmv2 auth = yes
>> dos filetime resolution = no
>> wide links = yes
>> force unknown acl user = yes
>> template homedir = /share/homes/DOMAIN=%D/%U
>> inherit acls = no
>> domain logons = no
>> min receivefile size = 256
>> case sensitive = auto
>> domain master = auto
>> local master = no
>> enhance acl v1 = yes
>> remove everyone = no
>> conn log = no
>> kernel oplocks = no
>> max protocol = SMB2_02
>> lock directory = /share/CACHEDEV1_DATA/.samba/lock
>> state directory = /share/CACHEDEV1_DATA/.samba/state
>> cache directory = /share/CACHEDEV1_DATA/.samba/cache
>> printcap cache time = 0
>> acl allow execute always = yes
>> vfs objects = shadow_copy2 aio_pthread
>> aio read size = 1
>> aio write size = 0
>> pid directory = /var/lock
>> printcap name=/etc/printcap
>> printing=cups
>> show add printer wizard=no
>>
>> realm = hc1.com <http://hc1.com>
>> ldap timeout = 5
>> password server = HOST223.hc1.com <http://HOST223.hc1.com>
>> pam password change = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind cache time = 1
>> idmap config * : backend = tdb
>> idmap config * : range = 400001-500000
>> idmap config HC1 : backend = rid
>> idmap config HC1 : range = 10000001-20000000
>> idmap config CHILD1 : backend = rid
>> idmap config CHILD1 : range = 30000001-40000000
>> idmap config TREEROOT : backend = rid
>> idmap config TREEROOT : range = 40000001-50000000
>> idmap config HC2 : backend = rid
>> idmap config HC2 : range = 50000001-60000000
>> idmap config CHILD2 : backend = rid
>> idmap config CHILD2 : range = 60000001-70000000
>>
>>
> If you have used the correct patch and are still having the problem, then
> I would suggest you add to the bug report that you are having problems even
> with the patch.
>
> What I can suggest, sit down with a copy of 'man smbconf' and your
> smb.conf, quite a few of your lines could be removed because they are the
> defaults and at least two should be the defaults i.e. I would remove these:
>
> passdb backend = smbpasswd
> password server = HOST223.hc1.com
>
> The first is using a deprecated method and the second is hardcoding the
> server to use, you should allow this to be discovered.
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list