[Samba] Lost trusted domain in samba-4.4.4
Rowland penny
rpenny at samba.org
Wed Jul 27 08:58:32 UTC 2016
On 27/07/16 09:35, hy wu wrote:
> Hi list,
>
> This is my domain enviroment and all DC are windows 2008r2
>
> http://i.imgur.com/8cNOtm2.jpeg
>
> When I used samba-4.0.5, I join my box to domain "HC1" , I got trusted
> domain "CHILD2" in "wbinfo -m".
>
> [/share/Public] # wbinfo -m
> BUILTIN
> MYBOX
> HC1
> CHILD1
> TREEROOT
> HC2
> CHILD2
>
> Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m".
> [/share/Public] # wbinfo -m
> BUILTIN
> MYBOX
> HC1
> CHILD1
> TREEROOT
> HC2
>
>
> In log.wb-HC2 , I found following message:
>
> [2016/07/26 12:02:03.981949, 5, pid=15758, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains)
> trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
> (NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
> [2016/07/26 12:02:03.981962, 3, pid=15758, effective(0, 0), real(0, 0),
> class=winbind]
> ../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains)
> winbindd_dual_list_trusted_domains: trusted_domains returned
> NT_STATUS_UNSUCCESSFUL
> [2016/07/26 12:02:03.981971, 4, pid=15758, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler)
>
>
> I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4:
> samba-4.0.5:
> http://i.imgur.com/ytr7oMt.jpeg
>
> samba-4.4.4:
> http://i.imgur.com/f5bYOeo.jpeg
>
> samba-4.4.4 did not send "create netlogon" , "netlogon binding" and
> DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo -m".
>
> I tried to use patch in
> https://bugzilla.samba.org/show_bug.cgi?id=11830
>
> After using this patch, samba-4.4.4 can send "create netlogon" and
> "netlogon binding" but failed in NetrServerAuthenticate3.
>
> http://i.imgur.com/vI6eB5R.jpeg
>
> And I got these message in log.wb-HC2:
> 2016/07/27 16:25:50.602158, 1, pid=18689, effective(0, 0), real(0, 0),
> class=winbind]
> ../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport)
> rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON
> credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2016/07/27 16:25:50.602169, 5, pid=18689, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains)
> trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
> (NT_STATUS_NO_TRUST_SAM_ACCOUNT)
> [2016/07/27 16:25:50.602182, 3, pid=18689, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains)
> ads: trusted_domains
>
>
> Is there any suggestion that helps to configure samba or DC?
>
> Should I wait for new patch?
>
>
> This is my smb.conf:
> [global]
> bind interfaces only = No
> config backend = file
> dos charset = CP850
> enable core files = Yes
> interfaces =
> multicast dns register = Yes
> netbios aliases =
> netbios name = MYBOX
> netbios scope =
> realm = HC1.COM
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate, dns
> server string =
> share backend = classic
> unix charset = UTF-8
> workgroup = HC1
> browse list = Yes
> domain master = Auto
> enhanced browsing = Yes
> lm announce = Auto
> lm interval = 60
> local master = No
> os level = 20
> preferred master = No
> allow dns updates = secure only
> dns forwarder =
> dns update command = /usr/local/samba/sbin/samba_dnsupdate
> machine password timeout = 604800
> nsupdate command = /usr/bin/nsupdate -g
> rndc command = /usr/sbin/rndc
> spn update command = /usr/local/samba/sbin/samba_spnupdate
> mangle prefix = 1
> mangling method = hash2
> max stat cache size = 256
> stat cache = Yes
> client ldap sasl wrapping = sign
> ldap admin dn =
> ldap connection timeout = 2
> ldap delete dn = No
> ldap deref = auto
> ldap follow referral = Auto
> ldap group suffix =
> ldap idmap suffix =
> ldap machine suffix =
> ldap page size = 1000
> ldap passwd sync = no
> ldap replication sleep = 1000
> ldap server require strong auth = Yes
> ldap ssl = start tls
> ldap ssl ads = No
> ldap suffix =
> ldap timeout = 5
> ldap user suffix =
> lock spin time = 200
> oplock break wait time = 0
> smb2 leases = No
> debug class = No
> debug hires timestamp = Yes
> debug pid = No
> debug prefix timestamp = No
> debug uid = No
> ldap debug level = 0
> ldap debug threshold = 10
> log file =
> logging =
> log level = 2
> max log size = 102400
> syslog = 1
> syslog only = No
> timestamp logs = Yes
> abort shutdown script =
> add group script =
> add machine script =
> add user script =
> add user to group script =
> allow nt4 crypto = No
> delete group script =
> delete user from group script =
> delete user script =
> domain logons = No
> enable privileges = Yes
> init logon delay = 100
> init logon delayed hosts =
> logon drive =
> logon home = \\%N\%U
> logon path = \\%N\%U\profile
> logon script =
> reject md5 clients = No
> set primary group script =
> shutdown script =
> add share command =
> afs token lifetime = 604800
> afs username map =
> allow insecure wide links = No
> async smb echo handler = No
> auto services =
> cache directory = /share/CACHEDEV1_DATA/.samba/cache
> change notify = Yes
> change share command =
> cluster addresses =
> clustering = No
> config file =
> ctdbd socket =
> ctdb locktime warn threshold = 0
> ctdb timeout = 0
> default service =
> delete share command =
> homedir map = auto.home
> kernel change notify = Yes
> lock directory = /share/CACHEDEV1_DATA/.samba/lock
> log writeable files on exit = No
> message command =
> nbt client socket address = 0.0.0.0
> ncalrpc dir = /usr/local/samba/var/run/ncalrpc
> NIS homedir = No
> nmbd bind explicit broadcast = Yes
> panic action =
> perfcount module =
> pid directory = /var/lock
> registry shares = No
> remote announce =
> remote browse sync =
> reset on zero vc = No
> smbd profiling level = off
> state directory = /share/CACHEDEV1_DATA/.samba/state
> usershare allow guests = No
> usershare max shares = 0
> usershare owner only = Yes
> usershare path = /usr/local/samba/var/locks/usershares
> usershare prefix allow list =
> usershare prefix deny list =
> usershare template share =
> utmp = No
> utmp directory =
> wtmp directory =
> addport command =
> addprinter command =
> cups connection timeout = 30
> cups encrypt = No
> cups server =
> deleteprinter command =
> disable spoolss = No
> enumports command =
> iprint server =
> load printers = Yes
> lpq cache time = 30
> os2 driver map =
> printcap cache time = 0
> printcap name = /etc/printcap
> show add printer wizard = No
> cldap port = 389
> client ipc max protocol = default
> client ipc min protocol = default
> client max protocol = default
> client min protocol = CORE
> client use spnego = Yes
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
> backupkey, dnsserver
> defer sharing violations = Yes
> dgram port = 138
> disable netbios = No
> enable asu support = No
> eventlog list =
> large readwrite = Yes
> max mux = 50
> max ttl = 259200
> max wins ttl = 518400
> max xmit = 16644
> min receivefile size = 256
> min wins ttl = 21600
> name resolve order = lmhosts wins host bcast
> nbt port = 137
> nt pipe support = Yes
> nt status support = Yes
> read raw = Yes
> rpc big endian = No
> server max protocol = SMB2_02
> server min protocol = LANMAN1
> server multi channel support = No
> smb2 max credits = 8192
> smb2 max read = 8388608
> smb2 max trans = 8388608
> smb2 max write = 8388608
> smb ports = 445 139
> svcctl list =
> time server = No
> unicode = Yes
> unix extensions = No
> use spnego = Yes
> web port = 901
> write raw = Yes
> algorithmic rid base = 1000
> allow dcerpc auth level connect = No
> allow trusted domains = Yes
> auth methods =
> check password script =
> client ipc signing = No
> client lanman auth = No
> client NTLMv2 auth = Yes
> client plaintext auth = No
> client schannel = No
> client signing = No
> client use spnego principal = No
> dedicated keytab file =
> encrypt passwords = Yes
> guest account = guest
> kerberos method = default
> kpasswd port = 464
> krb5 port = 88
> lanman auth = No
> log nt token command =
> map to guest = Bad User
> map untrusted to domain = No
> ntlm auth = Yes
> ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd
> null passwords = Yes
> obey pam restrictions = No
> old password allowed period = 60
> pam password change = Yes
> passdb backend = smbpasswd
> passdb expand explicit = No
> passwd chat = *new*password* %n\n *new*password* %n\n *changed*
> passwd chat debug = No
> passwd chat timeout = 2
> passwd program =
> password server = HOST223.hc1.com
> preload modules =
> private dir = /usr/local/samba/private
> raw NTLMv2 auth = No
> rename user script =
> restrict anonymous = 0
> root directory =
> samba kcc command = /usr/local/samba/sbin/samba_kcc
> security = ADS
> server role = auto
> server schannel = No
> server signing = No
> smb passwd file = /etc/config/smbpasswd
> tls cafile = tls/ca.pem
> tls certfile = tls/cert.pem
> tls crlfile =
> tls dh params file =
> tls enabled = Yes
> tls keyfile = tls/key.pem
> tls priority = NORMAL:-VERS-SSL3.0
> tls verify peer = as_strict_as_possible
> unix password sync = No
> username level = 0
> username map = /etc/config/smbusers
> username map cache time = 0
> username map script =
> aio max threads = 100
> deadtime = 10
> getwd cache = Yes
> hostname lookups = No
> keepalive = 300
> max disk size = 0
> max open files = 16384
> max smbd processes = 0
> name cache timeout = 660
> socket options = TCP_NODELAY SO_KEEPALIVE
> use mmap = Yes
> get quota command =
> host msdfs = Yes
> set quota command =
> create krb5 conf = Yes
> idmap backend = tdb
> idmap cache time = 604800
> idmap gid =
> idmap negative cache time = 120
> idmap uid =
> neutralize nt4 emulation = No
> reject md5 servers = No
> require strong key = No
> template homedir = /share/homes/DOMAIN=%D/%U
> template shell = /bin/false
> winbind cache time = 1
> winbindd privileged socket directory =
> /usr/local/samba/var/lib/winbindd_privileged
> winbindd socket directory = /usr/local/samba/var/run/winbindd
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind expand groups = 0
> winbind max clients = 200
> winbind max domain connections = 1
> winbind nested groups = Yes
> winbind normalize names = No
> winbind nss info = template
> winbind offline logon = No
> winbind reconnect delay = 30
> winbind refresh tickets = No
> winbind request timeout = 60
> winbind rpc only = No
> winbind sealed pipes = No
> winbind separator = \
> winbind trusted domains only = No
> winbind use default domain = No
> dns proxy = No
> wins hook =
> wins proxy = No
> wins server =
> wins support = No
> idmap config hc2 : range = 50000001-60000000
> idmap config hc2 : backend = rid
> idmap config treeroot : range = 40000001-50000000
> idmap config treeroot : backend = rid
> idmap config child1 : range = 30000001-40000000
> idmap config child1 : backend = rid
> idmap config hc1 : range = 10000001-20000000
> idmap config hc1 : backend = rid
> idmap config * : range = 400001-500000
> idmap config * : backend = tdb
> comment =
> path =
> administrative share = No
> browseable = Yes
> case sensitive = Auto
> default case = lower
> delete veto files = Yes
> hide dot files = Yes
> hide files =
> hide special files = No
> hide unreadable = No
> hide unwriteable files = No
> mangled names = Yes
> mangling char = ~
> map archive = No
> map hidden = No
> map readonly = no
> map system = No
> preserve case = Yes
> short preserve case = Yes
> store dos attributes = Yes
> veto files =
> veto oplock files =
> blocking locks = Yes
> csc policy = manual
> fake oplocks = No
> kernel oplocks = No
> kernel share modes = Yes
> level2 oplocks = Yes
> locking = Yes
> oplock contention limit = 2
> oplocks = Yes
> posix locking = Yes
> strict locking = Auto
> afs share = No
> available = Yes
> copy =
> delete readonly = No
> dfree cache time = 0
> dfree command =
> directory name cache size = 100
> dmapi support = No
> dont descend =
> dos filemode = No
> dos filetime resolution = No
> dos filetimes = Yes
> fake directory create times = No
> follow symlinks = Yes
> fstype = NTFS
> include =
> magic output =
> magic script =
> postexec =
> preexec =
> preexec close = No
> root postexec =
> root preexec =
> root preexec close = No
> spotlight = No
> volume =
> wide links = Yes
> cups options =
> default devmode = Yes
> force printername = No
> lppause command =
> lpq command = %p
> lpresume command =
> lprm command =
> max print jobs = 1000
> max reported print jobs = 0
> printable = No
> print command =
> printer name =
> printing = cups
> printjob username = %U
> print notify backchannel = No
> queuepause command =
> queueresume command =
> use client driver = No
> acl allow execute always = Yes
> acl check permissions = Yes
> acl map full control = Yes
> durable handles = Yes
> ea support = No
> map acl inherit = No
> nt acl support = Yes
> profile acls = No
> access based share enum = No
> acl group control = No
> admin users =
> create mask = 0777
> directory mask = 0777
> force create mode = 0000
> force directory mode = 0000
> force group =
> force unknown acl user = Yes
> force user =
> guest ok = No
> guest only = No
> hosts allow =
> hosts deny =
> inherit acls = No
> inherit owner = No
> inherit permissions = No
> invalid users =
> only user = No
> read list =
> read only = Yes
> smb encrypt = default
> username =
> valid users =
> write list =
> aio read size = 1
> aio write behind =
> aio write size = 0
> allocation roundup size = 1048576
> block size = 1024
> max connections = 0
> min print space = 0
> strict allocate = No
> strict rename = No
> strict sync = No
> sync always = No
> use sendfile = Yes
> write cache size = 0
> msdfs proxy =
> msdfs root = No
> msdfs shuffle referrals = No
> ntvfs handler = unixuid, default
Can you post the smb.conf as it is stored on the computer and not the
output of 'samba-tool testparm -v'
The smb.conf you supplied is just too much to wade through.
Rowland
More information about the samba
mailing list