[Samba] winbind between trusted domains really acting up under 3.0.28a
- Date: Tue, 25 Mar 2008 14:57:15 +1300
- From: Jason Haar <Jason.Haar@xxxxxxxxxxxxx>
- Subject: [Samba] winbind between trusted domains really acting up under 3.0.28a
I'm starting to see some really weird things happen on a range of Samba-3.0.28a servers installed as "security=ADS" members of a variety of domains. This was working last time I checked (weeks ago), but something's happened. Windows Updates tend to spring to mind more than Samba upgrades as a cause...
On all of them, "wbinfo -t" is happy, "net ads testjoin" is happy, "wbinfo -m" returns expected trusted domains. Looking up members of their own domains appears 100% reliable. "allow trusted domains = Yes" is set.
What I am seeing is that the Samba host cannot resolve AD accounts from other trusted domains correctly anymore. "wbinfo -i dom\\username" returns "Could not get info" instead of an answer, and there appears to be a big disconnect with mappings between SIDS and UIDs.
e.g. wbinfo -S S-1-5-21-725345543-602609370-839522115-10663 ...returns a UID, and wbinfo -s S-1-5-21-725345543-602609370-839522115-10663 ..returns "DOM\\username", but wbinfo -i "DOM\\username"returns "Could not get info". So it looks like winbind has SID->UID->name - but can't do the opposite? Also, looking at /var/log/samba/log.wb-DOM shows
get_trust_pw_clear: could not fetch clear text trust account password for domain DOM [2008/03/25 01:47:19, 1] nsswitch/winbindd_user.c:winbindd_dual_userinfo(152) error getting user info for sid S-1-5-21-725345543-602609370-839522115-10663
So it looks like Samba as an ADS member in one domain is attempting to make a clear text connection to domain controllers in another domain and failing. Well that makes me think of two questions:
1. why does samba (as a member server) even have to know about other domains? I would have thought it would just throw the problem at it's local DC's to deal with? 2. why is it using clear text? I assume that's the problem. It is compiled against Kerberos, and whatever else normally happens, so I don't understand why it's using clear text. "testparam" shows nothing that stands out as being behind this, and the logs show no other errors/failures besides this.
Any ideas? This is CentOS4 systems with samba-3.0.28a. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
- Prev by Date: [Samba] How to set "change on next login" in AD account from samba
- Next by Date: Re: [Samba] Desktops for non-roaming profiles
- Previous by thread: [Samba] How to set "change on next login" in AD account from samba
- Next by thread: [Samba] About: pdbedit command
- Index(es):