[Samba] Question about trusted domain list in samba-4.4.x

hy wu wuhysmb at gmail.com
Tue Aug 16 07:44:08 UTC 2016 

Hi list,

This is my domain enviroment and all DC are windows 2008r2

http://i.imgur.com/8cNOtm2.jpeg

When I used samba-4.0.5, I join my box to domain "HC1" , I  got trusted
domain "CHILD2" in "wbinfo -m".

[/share/Public] # wbinfo -m
BUILTIN
MYBOX
HC1
CHILD1
TREEROOT
HC2
CHILD2

Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m".
[/share/Public] # wbinfo -m
BUILTIN
MYBOX
HC1
CHILD1
TREEROOT
HC2


In log.wb-HC2 , I found following message:

[2016/07/26 12:02:03.981949,  5, pid=15758, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains)
  trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
(NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2016/07/26 12:02:03.981962,  3, pid=15758, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains)
  winbindd_dual_list_trusted_domains: trusted_domains returned
NT_STATUS_UNSUCCESSFUL
[2016/07/26 12:02:03.981971,  4, pid=15758, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler)


I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4:
samba-4.0.5:
http://i.imgur.com/ytr7oMt.jpeg

samba-4.4.4:
http://i.imgur.com/f5bYOeo.jpeg

samba-4.4.4 did not send "create netlogon" , "netlogon binding" and
DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo -m".

I tried to use patch in
https://bugzilla.samba.org/show_bug.cgi?id=11830

After using this patch, samba-4.4.4 can send "create netlogon" and
"netlogon binding" but failed in NetrServerAuthenticate3.

http://i.imgur.com/vI6eB5R.jpeg

And I got these message in log.wb-HC2:
2016/07/27 16:25:50.602158,  1, pid=18689, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport)
  rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON
credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT
[2016/07/27 16:25:50.602169,  5, pid=18689, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains)
  trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
(NT_STATUS_NO_TRUST_SAM_ACCOUNT)
[2016/07/27 16:25:50.602182,  3, pid=18689, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains)
  ads: trusted_domains


[/usr/local/samba/var] # cat /etc/config/smb.conf
[global]

client schannel = false
server schannel = false
client ipc signing = false
client signing = false
server signing = false
winbind sealed pipes = false
require strong key = false

passdb backend = smbpasswd
workgroup = HC1
security = ADS
server string =
encrypt passwords = Yes
username level = 0
map to guest = Bad User
null passwords = yes
max log size = 102400
socket options = TCP_NODELAY SO_KEEPALIVE
os level = 20
preferred master = no
dns proxy = No
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = no
load printers=yes
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash
Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at
__desc/:2e*/
delete veto files = yes
map archive = no
map system = no
map hidden = no
map read only = no
deadtime = 10
server role = auto
use sendfile = yes
unix extensions = no
store dos attributes = yes
client ntlmv2 auth = yes
dos filetime resolution = no
wide links = yes
force unknown acl user = yes
template homedir = /share/homes/DOMAIN=%D/%U
inherit acls = no
domain logons = no
min receivefile size = 256
case sensitive = auto
domain master = auto
local master = no
enhance acl v1 = yes
remove everyone = no
conn log = no
kernel oplocks = no
max protocol = SMB2_02
lock directory = /share/CACHEDEV1_DATA/.samba/lock
state directory = /share/CACHEDEV1_DATA/.samba/state
cache directory = /share/CACHEDEV1_DATA/.samba/cache
printcap cache time = 0
acl allow execute always = yes
vfs objects = shadow_copy2 aio_pthread
aio read size = 1
aio write size = 0
pid directory = /var/lock
printcap name=/etc/printcap
printing=cups
show add printer wizard=no

realm = hc1.com
ldap timeout = 5
password server = HOST223.hc1.com
pam password change = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 1
idmap config * : backend = tdb
idmap config * : range = 400001-500000
idmap config HC1 : backend = rid
idmap config HC1 : range = 10000001-20000000
idmap config CHILD1 : backend = rid
idmap config CHILD1 : range = 30000001-40000000
idmap config TREEROOT : backend = rid
idmap config TREEROOT : range = 40000001-50000000
idmap config HC2 : backend = rid
idmap config HC2 : range = 50000001-60000000
idmap config CHILD2 : backend = rid
idmap config CHILD2 : range = 60000001-70000000



I also tried to use samba-4.2.x and added "require strong key = no"
"winbind sealed pipes = false" in smb.conf.

These options worked, "wbinfo -m" could get child2 domain.


Next, I tried to use samba-4.3.x and samba-4.4.x ,
but "require strong key = no" and "winbind sealed pipes = false" did not
help to list child domain under hc2.com.

I traced code and found some netlogon functions only use schannel in
samba-4.3.x and samba-4.4.x.

I modified code (source3/winbindd_cm.c), let cm_connect_netlogon_transport
can use no_schannel just like samba-4.2.x.

Now "wbinfo -m" can list child2 domain under hc2.com in samba-4.4.x but I
am not sure if no_schannel path conforms with current SMB, samba or active
domain  spec.


Finally, I tried to use windows 2008r2 as my client and joined to domain.
It was a pure windows enviroment.

Run "netdom query /d:hc.com TRUST" in cmd line, I also could not get child2
domain under hc2.com.
http://i.imgur.com/CtKE9Qb.jpeg

When I created a shared folder, I still could not choose child2 domain
under hc2.com...
http://i.imgur.com/K5pJaHE.jpeg

But I could input child2 domain account directly and it worked, it is so
weird... why???
http://i.imgur.com/CBx906S.jpeg


My questions now are:

1. why dose not current samba use no_schannl path ?

2. No matrer "netdom query /d:hc.com TRUST" in windows client or "wbinfo
-m" in samba-4.4.x , why can't I get child2 domain in trust domain list ?

More information about the samba mailing list