[Samba] winbind trusted domain regression after upgrade to samba 4.2.10
Oliver Freyd
Oliver.Freyd at iontof.com
Wed May 11 15:44:32 UTC 2016
Hello,
I've upgraded a classic NT4 style BDC to samba 4.2.10 (and after that to
4.2.12, but no improvement...)
It was running on 4.1.17 and wbinfo -u showed a list of our users, and
users of the trusted domain.
running on 4.2.12 it lists only our users.
on a working server:
wbinfo --domain=EXAMPLE -t
checking the trust secret for domain EXAMPLE via RPC calls succeeded
On 4.2.12:
wbinfo --domain=EXAMPLE -t
checking the trust secret for domain EXAMPLE via RPC calls failed
error code was NT_STATUS_RPC_PROTOCOL_ERROR (0xc002001d)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
The domain controller of the trusted domain is running
samba 3.5.6
This is a part of the log in loglevel 5:
[2016/05/11 14:28:38.625054, 5]
../source3/rpc_client/cli_netlogon.c:190(rpccli_setup_netlogon_creds)
rpccli_setup_netlogon_creds: using new netlogon_creds
cli[IONTOF$/DBTEST] to FILESERVER
[2016/05/11 14:28:38.629196, 5]
../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
check lock order 2 for /var/run/samba/g_lock.tdb
[2016/05/11 14:28:38.629266, 5]
../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
release lock order 2 for /var/run/samba/g_lock.tdb
[2016/05/11 14:28:38.629501, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC mechanism schannel
[2016/05/11 14:28:38.629534, 5]
../source3/rpc_client/cli_pipe.c:1872(rpc_pipe_bind_send)
Bind RPC Pipe: host FILESERVER auth_type 68, auth_level 5
[2016/05/11 14:28:38.629558, 5]
../source3/rpc_client/cli_pipe.c:1139(create_generic_auth_rpc_bind_req)
create_generic_auth_rpc_bind_req: generate first token
[2016/05/11 14:28:38.629685, 5]
../source3/rpc_client/cli_pipe.c:826(rpc_api_pipe_send)
rpc_api_pipe: host FILESERVER
[2016/05/11 14:28:38.632057, 5]
../source3/rpc_client/cli_pipe.c:98(rpc_read_send)
rpc_read_send: data_to_read: 76
[2016/05/11 14:28:38.632134, 5]
../source3/rpc_client/cli_pipe.c:1745(check_bind_response)
check_bind_response: accepted!
[2016/05/11 14:28:38.632161, 0]
../source3/rpc_client/cli_pipe.c:1965(rpc_pipe_bind_step_one_done)
Failed to pull dcerpc auth: NT_STATUS_RPC_PROTOCOL_ERROR.
[2016/05/11 14:28:38.632249, 0]
../source3/rpc_client/cli_pipe.c:3209(cli_rpc_pipe_open_schannel_with_key)
cli_rpc_pipe_open_schannel_with_key: rpc_pipe_bind failed with error
NT_STATUS_RPC_PROTOCOL_ERROR
[2016/05/11 14:28:38.632291, 5]
../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
check lock order 2 for /var/run/samba/g_lock.tdb
[2016/05/11 14:28:38.632344, 5]
../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
release lock order 2 for /var/run/samba/g_lock.tdb
[2016/05/11 14:28:38.634387, 3]
../source3/winbindd/winbindd_cm.c:3015(cm_connect_netlogon)
Could not open schannel'ed NETLOGON pipe. Error was
NT_STATUS_RPC_PROTOCOL_ERROR
[2016/05/11 14:28:38.636584, 3]
../source3/winbindd/winbindd_dual_srv.c:605(_wbint_CheckMachineAccount)
could not open handle to NETLOGON pipe
[2016/05/11 14:28:38.636625, 2]
../source3/winbindd/winbindd_dual_srv.c:618(_wbint_CheckMachineAccount)
Checking the trust account password for domain EXAMPLE returned
NT_STATUS_RPC_PROTOCOL_ERROR
[2016/05/11 14:28:38.636691, 4]
../source3/winbindd/winbindd_dual.c:1395(child_handler)
Finished processing child request 59
Actually to get this far I had to enable several options into the
smb.conf (found in the release notes of samba 4.2):
client ipc signing = auto
This fixed
net rpc trustdom list
that would no more connect to our PDC (still samba 3.6.25) to list the
trusted domains.
Also I in the winbind logfile I found:
Unwilling to make SAMR connection to domain EXAMPLEwithout connection
level security, must set 'winbind sealed pipes = false' and 'require
strong key = false' to proceed: NT_STATUS_DOWNGRADE_DETECTED
So I added these options...but still no luck, the users of the trusted
domain are gone...
BTW, samba-4.2.9 is ok, wbinfo --domain=EXAMPLE -u
lists the users, wbinfo -t works for both domains.
Well, that's it for now,
Oliver
More information about the samba
mailing list