[Samba] Lost trusted domain in samba-4.4.4
hy wu
wuhysmb at gmail.com
Wed Jul 27 09:33:03 UTC 2016
Here is my smb.conf:
[/usr/local/samba/var] # cat /etc/config/smb.conf
[global]
client schannel = false
server schannel = false
client ipc signing = false
client signing = false
server signing = false
winbind sealed pipes = false
require strong key = false
passdb backend = smbpasswd
workgroup = HC1
security = ADS
server string =
encrypt passwords = Yes
username level = 0
map to guest = Bad User
null passwords = yes
max log size = 102400
socket options = TCP_NODELAY SO_KEEPALIVE
os level = 20
preferred master = no
dns proxy = No
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
oplocks = yes
locking = yes
disable spoolss = no
load printers=yes
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash
Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/:2e*/
delete veto files = yes
map archive = no
map system = no
map hidden = no
map read only = no
deadtime = 10
server role = auto
use sendfile = yes
unix extensions = no
store dos attributes = yes
client ntlmv2 auth = yes
dos filetime resolution = no
wide links = yes
force unknown acl user = yes
template homedir = /share/homes/DOMAIN=%D/%U
inherit acls = no
domain logons = no
min receivefile size = 256
case sensitive = auto
domain master = auto
local master = no
enhance acl v1 = yes
remove everyone = no
conn log = no
kernel oplocks = no
max protocol = SMB2_02
lock directory = /share/CACHEDEV1_DATA/.samba/lock
state directory = /share/CACHEDEV1_DATA/.samba/state
cache directory = /share/CACHEDEV1_DATA/.samba/cache
printcap cache time = 0
acl allow execute always = yes
vfs objects = shadow_copy2 aio_pthread
aio read size = 1
aio write size = 0
pid directory = /var/lock
printcap name=/etc/printcap
printing=cups
show add printer wizard=no
realm = hc1.com
ldap timeout = 5
password server = HOST223.hc1.com
pam password change = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 1
idmap config * : backend = tdb
idmap config * : range = 400001-500000
idmap config HC1 : backend = rid
idmap config HC1 : range = 10000001-20000000
idmap config CHILD1 : backend = rid
idmap config CHILD1 : range = 30000001-40000000
idmap config TREEROOT : backend = rid
idmap config TREEROOT : range = 40000001-50000000
idmap config HC2 : backend = rid
idmap config HC2 : range = 50000001-60000000
idmap config CHILD2 : backend = rid
idmap config CHILD2 : range = 60000001-70000000
2016-07-27 16:58 GMT+08:00 Rowland penny <rpenny at samba.org>:
> On 27/07/16 09:35, hy wu wrote:
>
>> Hi list,
>>
>> This is my domain enviroment and all DC are windows 2008r2
>>
>> http://i.imgur.com/8cNOtm2.jpeg
>>
>> When I used samba-4.0.5, I join my box to domain "HC1" , I got trusted
>> domain "CHILD2" in "wbinfo -m".
>>
>> [/share/Public] # wbinfo -m
>> BUILTIN
>> MYBOX
>> HC1
>> CHILD1
>> TREEROOT
>> HC2
>> CHILD2
>>
>> Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m".
>> [/share/Public] # wbinfo -m
>> BUILTIN
>> MYBOX
>> HC1
>> CHILD1
>> TREEROOT
>> HC2
>>
>>
>> In log.wb-HC2 , I found following message:
>>
>> [2016/07/26 12:02:03.981949, 5, pid=15758, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains)
>> trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
>> (NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
>> [2016/07/26 12:02:03.981962, 3, pid=15758, effective(0, 0), real(0, 0),
>> class=winbind]
>>
>> ../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains)
>> winbindd_dual_list_trusted_domains: trusted_domains returned
>> NT_STATUS_UNSUCCESSFUL
>> [2016/07/26 12:02:03.981971, 4, pid=15758, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler)
>>
>>
>> I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4:
>> samba-4.0.5:
>> http://i.imgur.com/ytr7oMt.jpeg
>>
>> samba-4.4.4:
>> http://i.imgur.com/f5bYOeo.jpeg
>>
>> samba-4.4.4 did not send "create netlogon" , "netlogon binding" and
>> DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo -m".
>>
>> I tried to use patch in
>> https://bugzilla.samba.org/show_bug.cgi?id=11830
>>
>> After using this patch, samba-4.4.4 can send "create netlogon" and
>> "netlogon binding" but failed in NetrServerAuthenticate3.
>>
>> http://i.imgur.com/vI6eB5R.jpeg
>>
>> And I got these message in log.wb-HC2:
>> 2016/07/27 16:25:50.602158, 1, pid=18689, effective(0, 0), real(0, 0),
>> class=winbind]
>> ../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport)
>> rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON
>> credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT
>> [2016/07/27 16:25:50.602169, 5, pid=18689, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains)
>> trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
>> (NT_STATUS_NO_TRUST_SAM_ACCOUNT)
>> [2016/07/27 16:25:50.602182, 3, pid=18689, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains)
>> ads: trusted_domains
>>
>>
>> Is there any suggestion that helps to configure samba or DC?
>>
>> Should I wait for new patch?
>>
>>
>> This is my smb.conf:
>> [global]
>> bind interfaces only = No
>> config backend = file
>> dos charset = CP850
>> enable core files = Yes
>> interfaces =
>> multicast dns register = Yes
>> netbios aliases =
>> netbios name = MYBOX
>> netbios scope =
>> realm = HC1.COM
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate, dns
>> server string =
>> share backend = classic
>> unix charset = UTF-8
>> workgroup = HC1
>> browse list = Yes
>> domain master = Auto
>> enhanced browsing = Yes
>> lm announce = Auto
>> lm interval = 60
>> local master = No
>> os level = 20
>> preferred master = No
>> allow dns updates = secure only
>> dns forwarder =
>> dns update command = /usr/local/samba/sbin/samba_dnsupdate
>> machine password timeout = 604800
>> nsupdate command = /usr/bin/nsupdate -g
>> rndc command = /usr/sbin/rndc
>> spn update command = /usr/local/samba/sbin/samba_spnupdate
>> mangle prefix = 1
>> mangling method = hash2
>> max stat cache size = 256
>> stat cache = Yes
>> client ldap sasl wrapping = sign
>> ldap admin dn =
>> ldap connection timeout = 2
>> ldap delete dn = No
>> ldap deref = auto
>> ldap follow referral = Auto
>> ldap group suffix =
>> ldap idmap suffix =
>> ldap machine suffix =
>> ldap page size = 1000
>> ldap passwd sync = no
>> ldap replication sleep = 1000
>> ldap server require strong auth = Yes
>> ldap ssl = start tls
>> ldap ssl ads = No
>> ldap suffix =
>> ldap timeout = 5
>> ldap user suffix =
>> lock spin time = 200
>> oplock break wait time = 0
>> smb2 leases = No
>> debug class = No
>> debug hires timestamp = Yes
>> debug pid = No
>> debug prefix timestamp = No
>> debug uid = No
>> ldap debug level = 0
>> ldap debug threshold = 10
>> log file =
>> logging =
>> log level = 2
>> max log size = 102400
>> syslog = 1
>> syslog only = No
>> timestamp logs = Yes
>> abort shutdown script =
>> add group script =
>> add machine script =
>> add user script =
>> add user to group script =
>> allow nt4 crypto = No
>> delete group script =
>> delete user from group script =
>> delete user script =
>> domain logons = No
>> enable privileges = Yes
>> init logon delay = 100
>> init logon delayed hosts =
>> logon drive =
>> logon home = \\%N\%U
>> logon path = \\%N\%U\profile
>> logon script =
>> reject md5 clients = No
>> set primary group script =
>> shutdown script =
>> add share command =
>> afs token lifetime = 604800
>> afs username map =
>> allow insecure wide links = No
>> async smb echo handler = No
>> auto services =
>> cache directory = /share/CACHEDEV1_DATA/.samba/cache
>> change notify = Yes
>> change share command =
>> cluster addresses =
>> clustering = No
>> config file =
>> ctdbd socket =
>> ctdb locktime warn threshold = 0
>> ctdb timeout = 0
>> default service =
>> delete share command =
>> homedir map = auto.home
>> kernel change notify = Yes
>> lock directory = /share/CACHEDEV1_DATA/.samba/lock
>> log writeable files on exit = No
>> message command =
>> nbt client socket address = 0.0.0.0
>> ncalrpc dir = /usr/local/samba/var/run/ncalrpc
>> NIS homedir = No
>> nmbd bind explicit broadcast = Yes
>> panic action =
>> perfcount module =
>> pid directory = /var/lock
>> registry shares = No
>> remote announce =
>> remote browse sync =
>> reset on zero vc = No
>> smbd profiling level = off
>> state directory = /share/CACHEDEV1_DATA/.samba/state
>> usershare allow guests = No
>> usershare max shares = 0
>> usershare owner only = Yes
>> usershare path = /usr/local/samba/var/locks/usershares
>> usershare prefix allow list =
>> usershare prefix deny list =
>> usershare template share =
>> utmp = No
>> utmp directory =
>> wtmp directory =
>> addport command =
>> addprinter command =
>> cups connection timeout = 30
>> cups encrypt = No
>> cups server =
>> deleteprinter command =
>> disable spoolss = No
>> enumports command =
>> iprint server =
>> load printers = Yes
>> lpq cache time = 30
>> os2 driver map =
>> printcap cache time = 0
>> printcap name = /etc/printcap
>> show add printer wizard = No
>> cldap port = 389
>> client ipc max protocol = default
>> client ipc min protocol = default
>> client max protocol = default
>> client min protocol = CORE
>> client use spnego = Yes
>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
>> backupkey, dnsserver
>> defer sharing violations = Yes
>> dgram port = 138
>> disable netbios = No
>> enable asu support = No
>> eventlog list =
>> large readwrite = Yes
>> max mux = 50
>> max ttl = 259200
>> max wins ttl = 518400
>> max xmit = 16644
>> min receivefile size = 256
>> min wins ttl = 21600
>> name resolve order = lmhosts wins host bcast
>> nbt port = 137
>> nt pipe support = Yes
>> nt status support = Yes
>> read raw = Yes
>> rpc big endian = No
>> server max protocol = SMB2_02
>> server min protocol = LANMAN1
>> server multi channel support = No
>> smb2 max credits = 8192
>> smb2 max read = 8388608
>> smb2 max trans = 8388608
>> smb2 max write = 8388608
>> smb ports = 445 139
>> svcctl list =
>> time server = No
>> unicode = Yes
>> unix extensions = No
>> use spnego = Yes
>> web port = 901
>> write raw = Yes
>> algorithmic rid base = 1000
>> allow dcerpc auth level connect = No
>> allow trusted domains = Yes
>> auth methods =
>> check password script =
>> client ipc signing = No
>> client lanman auth = No
>> client NTLMv2 auth = Yes
>> client plaintext auth = No
>> client schannel = No
>> client signing = No
>> client use spnego principal = No
>> dedicated keytab file =
>> encrypt passwords = Yes
>> guest account = guest
>> kerberos method = default
>> kpasswd port = 464
>> krb5 port = 88
>> lanman auth = No
>> log nt token command =
>> map to guest = Bad User
>> map untrusted to domain = No
>> ntlm auth = Yes
>> ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd
>> null passwords = Yes
>> obey pam restrictions = No
>> old password allowed period = 60
>> pam password change = Yes
>> passdb backend = smbpasswd
>> passdb expand explicit = No
>> passwd chat = *new*password* %n\n *new*password* %n\n *changed*
>> passwd chat debug = No
>> passwd chat timeout = 2
>> passwd program =
>> password server = HOST223.hc1.com
>> preload modules =
>> private dir = /usr/local/samba/private
>> raw NTLMv2 auth = No
>> rename user script =
>> restrict anonymous = 0
>> root directory =
>> samba kcc command = /usr/local/samba/sbin/samba_kcc
>> security = ADS
>> server role = auto
>> server schannel = No
>> server signing = No
>> smb passwd file = /etc/config/smbpasswd
>> tls cafile = tls/ca.pem
>> tls certfile = tls/cert.pem
>> tls crlfile =
>> tls dh params file =
>> tls enabled = Yes
>> tls keyfile = tls/key.pem
>> tls priority = NORMAL:-VERS-SSL3.0
>> tls verify peer = as_strict_as_possible
>> unix password sync = No
>> username level = 0
>> username map = /etc/config/smbusers
>> username map cache time = 0
>> username map script =
>> aio max threads = 100
>> deadtime = 10
>> getwd cache = Yes
>> hostname lookups = No
>> keepalive = 300
>> max disk size = 0
>> max open files = 16384
>> max smbd processes = 0
>> name cache timeout = 660
>> socket options = TCP_NODELAY SO_KEEPALIVE
>> use mmap = Yes
>> get quota command =
>> host msdfs = Yes
>> set quota command =
>> create krb5 conf = Yes
>> idmap backend = tdb
>> idmap cache time = 604800
>> idmap gid =
>> idmap negative cache time = 120
>> idmap uid =
>> neutralize nt4 emulation = No
>> reject md5 servers = No
>> require strong key = No
>> template homedir = /share/homes/DOMAIN=%D/%U
>> template shell = /bin/false
>> winbind cache time = 1
>> winbindd privileged socket directory =
>> /usr/local/samba/var/lib/winbindd_privileged
>> winbindd socket directory = /usr/local/samba/var/run/winbindd
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> winbind expand groups = 0
>> winbind max clients = 200
>> winbind max domain connections = 1
>> winbind nested groups = Yes
>> winbind normalize names = No
>> winbind nss info = template
>> winbind offline logon = No
>> winbind reconnect delay = 30
>> winbind refresh tickets = No
>> winbind request timeout = 60
>> winbind rpc only = No
>> winbind sealed pipes = No
>> winbind separator = \
>> winbind trusted domains only = No
>> winbind use default domain = No
>> dns proxy = No
>> wins hook =
>> wins proxy = No
>> wins server =
>> wins support = No
>> idmap config hc2 : range = 50000001-60000000
>> idmap config hc2 : backend = rid
>> idmap config treeroot : range = 40000001-50000000
>> idmap config treeroot : backend = rid
>> idmap config child1 : range = 30000001-40000000
>> idmap config child1 : backend = rid
>> idmap config hc1 : range = 10000001-20000000
>> idmap config hc1 : backend = rid
>> idmap config * : range = 400001-500000
>> idmap config * : backend = tdb
>> comment =
>> path =
>> administrative share = No
>> browseable = Yes
>> case sensitive = Auto
>> default case = lower
>> delete veto files = Yes
>> hide dot files = Yes
>> hide files =
>> hide special files = No
>> hide unreadable = No
>> hide unwriteable files = No
>> mangled names = Yes
>> mangling char = ~
>> map archive = No
>> map hidden = No
>> map readonly = no
>> map system = No
>> preserve case = Yes
>> short preserve case = Yes
>> store dos attributes = Yes
>> veto files =
>> veto oplock files =
>> blocking locks = Yes
>> csc policy = manual
>> fake oplocks = No
>> kernel oplocks = No
>> kernel share modes = Yes
>> level2 oplocks = Yes
>> locking = Yes
>> oplock contention limit = 2
>> oplocks = Yes
>> posix locking = Yes
>> strict locking = Auto
>> afs share = No
>> available = Yes
>> copy =
>> delete readonly = No
>> dfree cache time = 0
>> dfree command =
>> directory name cache size = 100
>> dmapi support = No
>> dont descend =
>> dos filemode = No
>> dos filetime resolution = No
>> dos filetimes = Yes
>> fake directory create times = No
>> follow symlinks = Yes
>> fstype = NTFS
>> include =
>> magic output =
>> magic script =
>> postexec =
>> preexec =
>> preexec close = No
>> root postexec =
>> root preexec =
>> root preexec close = No
>> spotlight = No
>> volume =
>> wide links = Yes
>> cups options =
>> default devmode = Yes
>> force printername = No
>> lppause command =
>> lpq command = %p
>> lpresume command =
>> lprm command =
>> max print jobs = 1000
>> max reported print jobs = 0
>> printable = No
>> print command =
>> printer name =
>> printing = cups
>> printjob username = %U
>> print notify backchannel = No
>> queuepause command =
>> queueresume command =
>> use client driver = No
>> acl allow execute always = Yes
>> acl check permissions = Yes
>> acl map full control = Yes
>> durable handles = Yes
>> ea support = No
>> map acl inherit = No
>> nt acl support = Yes
>> profile acls = No
>> access based share enum = No
>> acl group control = No
>> admin users =
>> create mask = 0777
>> directory mask = 0777
>> force create mode = 0000
>> force directory mode = 0000
>> force group =
>> force unknown acl user = Yes
>> force user =
>> guest ok = No
>> guest only = No
>> hosts allow =
>> hosts deny =
>> inherit acls = No
>> inherit owner = No
>> inherit permissions = No
>> invalid users =
>> only user = No
>> read list =
>> read only = Yes
>> smb encrypt = default
>> username =
>> valid users =
>> write list =
>> aio read size = 1
>> aio write behind =
>> aio write size = 0
>> allocation roundup size = 1048576
>> block size = 1024
>> max connections = 0
>> min print space = 0
>> strict allocate = No
>> strict rename = No
>> strict sync = No
>> sync always = No
>> use sendfile = Yes
>> write cache size = 0
>> msdfs proxy =
>> msdfs root = No
>> msdfs shuffle referrals = No
>> ntvfs handler = unixuid, default
>>
>
> Can you post the smb.conf as it is stored on the computer and not the
> output of 'samba-tool testparm -v'
>
> The smb.conf you supplied is just too much to wade through.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list