[Samba] interdomain trust broken after upgrade to 4.1.17

Oliver Freyd Oliver.Freyd at gmx.de
Fri Mar 25 14:15:40 UTC 2016 

Hi samba folks,

I'm running an NT$-style samba PDC and 2 BDCs. They are all on
samba 3.6.25 (the SERNET packages on debian wheezy)

I have a domain trust with another server on another subnet,
I think they run samba 3.5, also NT4-style domain.

Everything ran fine, they can login to our machines and vice versa,
winbind can resolve their usernames etc.

Now I upgraded the PDC to debian jessie, and the samba to 4.1.17.

Everything seems to be fine, except the domain trust.

winbind does not list their users, wbinfo -u only shows my users,
not the other domain.



this is the output of
net   rpc trustdom list -U netzadmin
Enter netzadmin's password:
Trusted domains list:

TESTDOM             S-1-5-21-4290508083-233918025-494574875
TASCON              S-1-5-21-917896259-2246452459-4243388401

Trusting domains list:

Unable to find a suitable server for domain TASCON
domain controller is not responding: NT_STATUS_UNSUCCESSFUL
TASCON              couldn't get domain's sid
Unable to find a suitable server for domain TESTDOM
domain controller is not responding: NT_STATUS_UNSUCCESSFUL
TESTDOM             couldn't get domain's sid

(TESTDOM was a test domain I used to setup this domain trust thingie, is 
is offline, but tascon should work.

the same thing on a BDC that was not upgraded:

net rpc trustdom list -U netzadmin
Enter netzadmin's password:
Trusted domains list:

TESTDOM             S-1-5-21-4290508083-233918025-494574875
TASCON              S-1-5-21-917896259-2246452459-4243388401

Trusting domains list:

TASCON              S-1-5-21-917896259-2246452459-4243388401
Unable to find a suitable server for domain TESTDOM
domain controller is not responding: NT_STATUS_UNSUCCESSFUL
TESTDOM             couldn't get domain's sid


So that machine finds the trusting domain.

raising the debug level shows samba 4.1.17  somehow can't find the 
domain controller of the trusting domain TASCON:

....
no entry for TASCON#1B found.
name_resolve_bcast: Attempting broadcast lookup for name TASCON<0x1b>
S
...
I suppose it is looking in gencache.tdb for TASCON#1B and then it tries 
a broadcast that fails because that domain is on another subnet.

Strangely, using nmblookup succeeds:
nmblookup -U localhost -R TASCON#1b
WARNING: The "enable privileges" option is deprecated
added interface eth0 ip=192.168.0.250 bcast=192.168.0.255 
netmask=255.255.255.0
querying TASCON on 127.0.0.1
Got a positive name query response from 127.0.0.1 ( 192.168.128.1 )
192.168.128.1 TASCON<1b>


So I'm somewhat at a loss here.
Any ideas of where I could dig into to fix this, if it is a 
misconfiguration or a bug in samba?

Thanks in advance,

     Oliver Freyd


-------------- next part --------------
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 5
  tdb: 5
  printdrivers: 5
  lanman: 5
  smb: 5
  rpc_parse: 5
  rpc_srv: 5
  rpc_cli: 5
  passdb: 5
  sam: 5
  auth: 5
  winbind: 5
  vfs: 5
  idmap: 5
  quota: 5
  acls: 5
  locking: 5
  msdfs: 5
  dmapi: 5
  registry: 5
  scavenger: 5
  dns: 5
  ldb: 5
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter netbios name = sambapdc
doing parameter os level = 100
doing parameter preferred master = yes
doing parameter local master = yes
doing parameter domain master = yes
doing parameter domain logons = yes
doing parameter workgroup = IONTOF
doing parameter server string = %h
doing parameter wins support = yes
doing parameter dns proxy = no
doing parameter remote browse sync = 192.168.128.1
doing parameter name resolve order = wins bcast host
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter log level = 2
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter security = user
doing parameter encrypt passwords = true
doing parameter passdb backend = ldapsam:ldap://127.0.0.1
doing parameter ldap admin dn = cn=admin,dc=iontof,dc=com
doing parameter ldap suffix = dc=iontof,dc=com
doing parameter ldap machine suffix = ou=machines
doing parameter ldap user suffix = ou=users
doing parameter ldap group suffix = ou=groups
doing parameter ldap idmap suffix = ou=Idmap
doing parameter ldap delete dn = no
doing parameter enable privileges = yes
WARNING: The "enable privileges" option is deprecated
doing parameter ldap password sync = yes
doing parameter ldap ssl = no
doing parameter ldap timeout = 20
doing parameter idmap config * : backend = ldap
doing parameter idmap config * : range = 30000-40000
doing parameter idmap config * : ldap_url = ldap://localhost/
doing parameter idmap config * : ldap_base_dn = ou=Idmap,dc=iontof,dc=com
doing parameter idmap config * : ldap_user_dn = cn=admin,dc=iontof,dc=com
doing parameter idmap config IONTOF : backend = nss
doing parameter idmap config IONTOF : range = 1000-9999
doing parameter winbind nested groups = Yes
doing parameter ea support = Yes
doing parameter map acl inherit = Yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter logon path = 
doing parameter logon script = scripts\logon.cmd
doing parameter add user script = /usr/sbin/smbldap-useradd -m '%u'
doing parameter add group script = /usr/sbin/smbldap-groupadd '%g'
doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
doing parameter set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
doing parameter add machine script = /usr/sbin/smbldap-useradd -w '%u'
doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u"
doing parameter add share command = /usr/local/sbin/modify_samba_config.pl
doing parameter username map = /etc/samba/smbusers
doing parameter printing = lprng
doing parameter printcap name = /etc/printcap
doing parameter socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter winbind enum groups = yes
doing parameter winbind enum users = yes
doing parameter winbind trusted domains only = yes
doing parameter obey pam restrictions = yes
pm_process() returned Yes
Netbios name list:-
my_netbios_names[0]="SAMBAPDC"
added interface eth0 ip=192.168.0.250 bcast=192.168.0.255 netmask=255.255.255.0
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
name IONTOF#1B found.
namecache_status_fetch: key NBT/IONTOF#1B.20.192.168.0.250 -> SAMBAPDC
Enter netzadmin's password:Connecting to 192.168.0.250 at port 445
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 0
	SO_BROADCAST = 0
	TCP_NODELAY = 1
	TCP_KEEPCNT = 9
	TCP_KEEPIDLE = 7200
	TCP_KEEPINTVL = 75
	IPTOS_LOWDELAY = 16
	IPTOS_THROUGHPUT = 16
	SO_REUSEPORT = 0
	SO_SNDBUF = 16384
	SO_RCVBUF = 16384
	SO_SNDLOWAT = 1
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
	TCP_QUICKACK = 1
	TCP_DEFER_ACCEPT = 0
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Bind RPC Pipe: host SAMBAPDC auth_type 0, auth_level 1
rpc_api_pipe: host SAMBAPDC
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host SAMBAPDC
rpc_read_send: data_to_read: 32
rpc_api_pipe: host SAMBAPDC
rpc_read_send: data_to_read: 84
rpc_api_pipe: host SAMBAPDC
rpc_read_send: data_to_read: 160
rpc_api_pipe: host SAMBAPDC
rpc_read_send: data_to_read: 32
Bind RPC Pipe: host SAMBAPDC auth_type 0, auth_level 1
rpc_api_pipe: host SAMBAPDC
rpc_read_send: data_to_read: 52
check_bind_response: accepted!
rpc_api_pipe: host SAMBAPDC
rpc_read_send: data_to_read: 32
rpc_api_pipe: host SAMBAPDC
rpc_read_send: data_to_read: 32
rpc_api_pipe: host SAMBAPDC
rpc_read_send: data_to_read: 116
no entry for TASCON#1B found.
name_resolve_bcast: Attempting broadcast lookup for name TASCON<0x1b>
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 1
	SO_BROADCAST = 1
	Could not test socket option TCP_NODELAY.
	Could not test socket option TCP_KEEPCNT.
	Could not test socket option TCP_KEEPIDLE.
	Could not test socket option TCP_KEEPINTVL.
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_REUSEPORT = 1
	SO_SNDBUF = 212992
	SO_RCVBUF = 212992
	SO_SNDLOWAT = 1
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
	Could not test socket option TCP_QUICKACK.
	Could not test socket option TCP_DEFER_ACCEPT.
samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fb0bdf99b50] mpx_fde[(nil)] fd[14] - disabling
resolve_hosts: not appropriate for name type <0x1b>
Unable to resolve PDC server address
Unable to find a suitable server for domain TASCON
domain controller is not responding: NT_STATUS_UNSUCCESSFUL
no entry for TESTDOM#1B found.
name_resolve_bcast: Attempting broadcast lookup for name TESTDOM<0x1b>
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 1
	SO_BROADCAST = 1
	Could not test socket option TCP_NODELAY.
	Could not test socket option TCP_KEEPCNT.
	Could not test socket option TCP_KEEPIDLE.
	Could not test socket option TCP_KEEPINTVL.
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_REUSEPORT = 1
	SO_SNDBUF = 212992
	SO_RCVBUF = 212992
	SO_SNDLOWAT = 1
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
	Could not test socket option TCP_QUICKACK.
	Could not test socket option TCP_DEFER_ACCEPT.
samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x7fb0bdf99b50] mpx_fde[(nil)] fd[14] - disabling
resolve_hosts: not appropriate for name type <0x1b>
Unable to resolve PDC server address
Unable to find a suitable server for domain TESTDOM
domain controller is not responding: NT_STATUS_UNSUCCESSFUL
rpc_api_pipe: host SAMBAPDC
rpc_read_send: data_to_read: 32
rpc_api_pipe: host SAMBAPDC
rpc_read_send: data_to_read: 32
return code = 0
Freeing parametrics:

Trusted domains list:

TESTDOM             S-1-5-21-4290508083-233918025-494574875
TASCON              S-1-5-21-917896259-2246452459-4243388401

Trusting domains list:

TASCON              couldn't get domain's sid
TESTDOM             couldn't get domain's sid

More information about the samba mailing list