[Samba] winbind between trusted domains really acting up under 3.0.28a

Mon, 24 Mar 2008 18:59:21 -0700

I'm starting to see some really weird things happen on a range of Samba-3.0.28a servers installed as "security=ADS" members of a variety of domains. This was working last time I checked (weeks ago), but something's happened. Windows Updates tend to spring to mind more than Samba upgrades as a cause...
On all of them, "wbinfo -t" is happy, "net ads testjoin" is happy, "wbinfo -m" returns expected trusted domains. Looking up members of their own domains appears 100% reliable. "allow trusted domains = Yes" is set. 


What I am seeing is that the Samba host cannot resolve AD accounts from 
other trusted domains correctly anymore. "wbinfo -i dom\\username" 
returns "Could not get info" instead of an answer, and there appears to 
be a big disconnect with mappings between SIDS and UIDs.


e.g.
wbinfo -S S-1-5-21-725345543-602609370-839522115-10663
...returns a UID, and
wbinfo -s S-1-5-21-725345543-602609370-839522115-10663
..returns "DOM\\username", but

wbinfo -i "DOM\\username"


returns "Could not get info". So it looks like winbind has 
SID->UID->name - but can't do the opposite? Also, looking at 
/var/log/samba/log.wb-DOM shows



get_trust_pw_clear: could not fetch clear text trust account password 
for domain DOM
[2008/03/25 01:47:19, 1] 
nsswitch/winbindd_user.c:winbindd_dual_userinfo(152)
 error getting user info for sid 
S-1-5-21-725345543-602609370-839522115-10663





So it looks like Samba as an ADS member in one domain is attempting to 
make a clear text connection to domain controllers in another domain and 
failing. Well that makes me think of two questions:



1. why does samba (as a member server) even have to know about other 
domains? I would have thought it would just throw the problem at it's 
local DC's to deal with?
2. why is it using clear text? I assume that's the problem. It is 
compiled against Kerberos, and whatever else normally happens, so I 
don't understand why it's using clear text. "testparam" shows nothing 
that stands out as being behind this, and the logs show no other 
errors/failures besides this.


Any ideas? This is CentOS4 systems with samba-3.0.28a. Thanks!


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba














    











					Reply via email to