[Samba] winbind trusted domain regression after upgrade to samba 4.2.10

Oliver Freyd Oliver.Freyd at iontof.com
Wed May 11 15:44:32 UTC 2016


I've upgraded a classic NT4 style BDC to samba 4.2.10 (and after that to 
4.2.12, but no improvement...)

It was running on 4.1.17 and wbinfo -u showed a list of our users, and 
users of the trusted domain.

running on 4.2.12 it lists only our users.

on a working server:
wbinfo --domain=EXAMPLE -t
checking the trust secret for domain EXAMPLE via RPC calls succeeded

On 4.2.12:

wbinfo --domain=EXAMPLE -t
checking the trust secret for domain EXAMPLE via RPC calls failed
error code was NT_STATUS_RPC_PROTOCOL_ERROR (0xc002001d)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret

The domain controller of the trusted domain is running
samba 3.5.6

This is a part of the log in loglevel 5:

[2016/05/11 14:28:38.625054,  5] 
   rpccli_setup_netlogon_creds: using new netlogon_creds 
[2016/05/11 14:28:38.629196,  5] 
   check lock order 2 for /var/run/samba/g_lock.tdb
[2016/05/11 14:28:38.629266,  5] 
   release lock order 2 for /var/run/samba/g_lock.tdb
[2016/05/11 14:28:38.629501,  5] 
   Starting GENSEC mechanism schannel
[2016/05/11 14:28:38.629534,  5] 
   Bind RPC Pipe: host FILESERVER auth_type 68, auth_level 5
[2016/05/11 14:28:38.629558,  5] 
   create_generic_auth_rpc_bind_req: generate first token
[2016/05/11 14:28:38.629685,  5] 
   rpc_api_pipe: host FILESERVER
[2016/05/11 14:28:38.632057,  5] 
   rpc_read_send: data_to_read: 76
[2016/05/11 14:28:38.632134,  5] 
   check_bind_response: accepted!
[2016/05/11 14:28:38.632161,  0] 
   Failed to pull dcerpc auth: NT_STATUS_RPC_PROTOCOL_ERROR.
[2016/05/11 14:28:38.632249,  0] 
   cli_rpc_pipe_open_schannel_with_key: rpc_pipe_bind failed with error 
[2016/05/11 14:28:38.632291,  5] 
   check lock order 2 for /var/run/samba/g_lock.tdb
[2016/05/11 14:28:38.632344,  5] 
   release lock order 2 for /var/run/samba/g_lock.tdb
[2016/05/11 14:28:38.634387,  3] 
   Could not open schannel'ed NETLOGON pipe. Error was 
[2016/05/11 14:28:38.636584,  3] 
   could not open handle to NETLOGON pipe
[2016/05/11 14:28:38.636625,  2] 
   Checking the trust account password for domain EXAMPLE returned 
[2016/05/11 14:28:38.636691,  4] 
   Finished processing child request 59

Actually to get this far I had to enable several options into the 
smb.conf (found in the release notes of samba 4.2):
client ipc signing = auto

This fixed
   net rpc trustdom list
that would no more connect to our PDC (still samba 3.6.25) to list the 
trusted domains.

Also I in the winbind logfile I found:
Unwilling to make SAMR connection to domain EXAMPLEwithout connection 
level security, must set 'winbind sealed pipes = false' and 'require 
strong key = false' to proceed: NT_STATUS_DOWNGRADE_DETECTED

So I added these options...but still no luck, the users of the trusted 
domain are gone...

BTW, samba-4.2.9 is ok, wbinfo --domain=EXAMPLE -u
lists the users, wbinfo -t works for both domains.

Well, that's it for now,


More information about the samba mailing list