[Samba] interdomain trust broken after upgrade to 4.1.17

Rowland penny rpenny at samba.org
Fri Mar 25 15:25:08 UTC 2016 

On 25/03/16 14:15, Oliver Freyd wrote:
> Hi samba folks,
>
> I'm running an NT$-style samba PDC and 2 BDCs. They are all on
> samba 3.6.25 (the SERNET packages on debian wheezy)
>
> I have a domain trust with another server on another subnet,
> I think they run samba 3.5, also NT4-style domain.
>
> Everything ran fine, they can login to our machines and vice versa,
> winbind can resolve their usernames etc.
>
> Now I upgraded the PDC to debian jessie, and the samba to 4.1.17.
>
> Everything seems to be fine, except the domain trust.
>
> winbind does not list their users, wbinfo -u only shows my users,
> not the other domain.
>
>
>
> this is the output of
> net   rpc trustdom list -U netzadmin
> Enter netzadmin's password:
> Trusted domains list:
>
> TESTDOM             S-1-5-21-4290508083-233918025-494574875
> TASCON              S-1-5-21-917896259-2246452459-4243388401
>
> Trusting domains list:
>
> Unable to find a suitable server for domain TASCON
> domain controller is not responding: NT_STATUS_UNSUCCESSFUL
> TASCON              couldn't get domain's sid
> Unable to find a suitable server for domain TESTDOM
> domain controller is not responding: NT_STATUS_UNSUCCESSFUL
> TESTDOM             couldn't get domain's sid
>
> (TESTDOM was a test domain I used to setup this domain trust thingie, 
> is is offline, but tascon should work.
>
> the same thing on a BDC that was not upgraded:
>
> net rpc trustdom list -U netzadmin
> Enter netzadmin's password:
> Trusted domains list:
>
> TESTDOM             S-1-5-21-4290508083-233918025-494574875
> TASCON              S-1-5-21-917896259-2246452459-4243388401
>
> Trusting domains list:
>
> TASCON              S-1-5-21-917896259-2246452459-4243388401
> Unable to find a suitable server for domain TESTDOM
> domain controller is not responding: NT_STATUS_UNSUCCESSFUL
> TESTDOM             couldn't get domain's sid
>
>
> So that machine finds the trusting domain.
>
> raising the debug level shows samba 4.1.17  somehow can't find the 
> domain controller of the trusting domain TASCON:
>
> ....
> no entry for TASCON#1B found.
> name_resolve_bcast: Attempting broadcast lookup for name TASCON<0x1b>
> S
> ...
> I suppose it is looking in gencache.tdb for TASCON#1B and then it 
> tries a broadcast that fails because that domain is on another subnet.
>
> Strangely, using nmblookup succeeds:
> nmblookup -U localhost -R TASCON#1b
> WARNING: The "enable privileges" option is deprecated
> added interface eth0 ip=192.168.0.250 bcast=192.168.0.255 
> netmask=255.255.255.0
> querying TASCON on 127.0.0.1
> Got a positive name query response from 127.0.0.1 ( 192.168.128.1 )
> 192.168.128.1 TASCON<1b>
>
>
> So I'm somewhat at a loss here.
> Any ideas of where I could dig into to fix this, if it is a 
> misconfiguration or a bug in samba?
>
> Thanks in advance,
>
>     Oliver Freyd
>
>
>
>

Can you post your smb.conf ?

Rowland

More information about the samba mailing list