[Samba] interdomain trust broken after upgrade to 4.1.17
Rowland penny
rpenny at samba.org
Fri Mar 25 15:25:08 UTC 2016
On 25/03/16 14:15, Oliver Freyd wrote:
> Hi samba folks,
>
> I'm running an NT$-style samba PDC and 2 BDCs. They are all on
> samba 3.6.25 (the SERNET packages on debian wheezy)
>
> I have a domain trust with another server on another subnet,
> I think they run samba 3.5, also NT4-style domain.
>
> Everything ran fine, they can login to our machines and vice versa,
> winbind can resolve their usernames etc.
>
> Now I upgraded the PDC to debian jessie, and the samba to 4.1.17.
>
> Everything seems to be fine, except the domain trust.
>
> winbind does not list their users, wbinfo -u only shows my users,
> not the other domain.
>
>
>
> this is the output of
> net rpc trustdom list -U netzadmin
> Enter netzadmin's password:
> Trusted domains list:
>
> TESTDOM S-1-5-21-4290508083-233918025-494574875
> TASCON S-1-5-21-917896259-2246452459-4243388401
>
> Trusting domains list:
>
> Unable to find a suitable server for domain TASCON
> domain controller is not responding: NT_STATUS_UNSUCCESSFUL
> TASCON couldn't get domain's sid
> Unable to find a suitable server for domain TESTDOM
> domain controller is not responding: NT_STATUS_UNSUCCESSFUL
> TESTDOM couldn't get domain's sid
>
> (TESTDOM was a test domain I used to setup this domain trust thingie,
> is is offline, but tascon should work.
>
> the same thing on a BDC that was not upgraded:
>
> net rpc trustdom list -U netzadmin
> Enter netzadmin's password:
> Trusted domains list:
>
> TESTDOM S-1-5-21-4290508083-233918025-494574875
> TASCON S-1-5-21-917896259-2246452459-4243388401
>
> Trusting domains list:
>
> TASCON S-1-5-21-917896259-2246452459-4243388401
> Unable to find a suitable server for domain TESTDOM
> domain controller is not responding: NT_STATUS_UNSUCCESSFUL
> TESTDOM couldn't get domain's sid
>
>
> So that machine finds the trusting domain.
>
> raising the debug level shows samba 4.1.17 somehow can't find the
> domain controller of the trusting domain TASCON:
>
> ....
> no entry for TASCON#1B found.
> name_resolve_bcast: Attempting broadcast lookup for name TASCON<0x1b>
> S
> ...
> I suppose it is looking in gencache.tdb for TASCON#1B and then it
> tries a broadcast that fails because that domain is on another subnet.
>
> Strangely, using nmblookup succeeds:
> nmblookup -U localhost -R TASCON#1b
> WARNING: The "enable privileges" option is deprecated
> added interface eth0 ip=192.168.0.250 bcast=192.168.0.255
> netmask=255.255.255.0
> querying TASCON on 127.0.0.1
> Got a positive name query response from 127.0.0.1 ( 192.168.128.1 )
> 192.168.128.1 TASCON<1b>
>
>
> So I'm somewhat at a loss here.
> Any ideas of where I could dig into to fix this, if it is a
> misconfiguration or a bug in samba?
>
> Thanks in advance,
>
> Oliver Freyd
>
>
>
>
Can you post your smb.conf ?
Rowland
More information about the samba
mailing list