Univention Bugzilla – Bug 33342
Samba3 trusts Windows does not work in UCS 3.2
Last modified: 2014-02-11 14:08:00 CET
We should recognize the trust in preup.sh and block the upgrade. This should be over writable via UCR. Once Bug #33303 has been fixed, the check can be removed. +++ This bug was initially created as a clone of Bug #33303 +++ The direction "Samba trusts Windows" does not work. Somehow winbind fails to resolve the remote domain. Tested with UCS 3.2-0 (product tests) against Windows 2008 R2 AD DC. Slave an Meberserver behave only a litte different, but the main result is the same: The trust relation seems to be established successfully, UCS users can log on to the Windows DC, but Samba fails to lookup users of the Windows domain: =========================================================== root@slave42:~# net rpc trustdom list -UAdministrator%univention Trusted domains list: ARW2008R2 S-1-5-21-2993504088-2269847352-917328378 Trusting domains list: ARW2008R2 S-1-5-21-2993504088-2269847352-917328378 root@slave42:~# wbinfo -m BUILTIN AR32I8 ARW2008R2 root@slave42:~# wbinfo --online-status BUILTIN : online AR32I8 : online ARW2008R2 : online root@slave42:~# wbinfo -D ARW2008R2 Name : ARW2008R2 Alt_Name : arw2008r2.qa SID : S-1-5-21-2993504088-2269847352-917328378 Active Directory : Yes Native : Yes Primary : No root@slave42:~# wbinfo --dc-info=ARW2008R2 WIN-125IN6TLA89 (10.200.8.135) root@slave42:~# wbinfo --domain=ARW2008R2 -t checking the trust secret for domain ARW2008R2 via RPC calls succeeded root@slave42:~# wbinfo -n ARW2008R2+Administrator failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ARW2008R2+Administrator root@slave42:~# wbinfo -n ARW2008R2+winuser1 failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ARW2008R2+winuser1 =========================================================== On the Memberserver at least the remote administrator account is resolved successfuly and even authentication works for that account, but for normal users it does not work: =========================================================== root@member43:~# net rpc trustdom list -UAdministrator%univention Trusted domains list: ARW2008R2 S-1-5-21-2993504088-2269847352-917328378 Trusting domains list: ARW2008R2 S-1-5-21-2993504088-2269847352-917328378 root@member43:~# wbinfo -m BUILTIN MEMBER43 AR32I8 ARW2008R2 root@member43:~# wbinfo --online-status BUILTIN : online MEMBER43 : online AR32I8 : online ARW2008R2 : offline root@member43:~# wbinfo -D ARW2008R2 Name : ARW2008R2 Alt_Name : arw2008r2.qa SID : S-1-5-21-2993504088-2269847352-917328378 Active Directory : Yes Native : Yes Primary : No root@member43:~# wbinfo --dc-info=ARW2008R2 WIN-125IN6TLA89 (10.200.8.135) root@member43:~# wbinfo -n ARW2008R2+Administrator S-1-5-21-1376953716-2413384141-3399758289-500 SID_USER (1) root@member43:~# wbinfo -a ARW2008R2+Administrator Enter ARW2008R2+Administrator's password: plaintext password authentication succeeded Enter ARW2008R2+Administrator's password: challenge/response password authentication succeeded root@member43:~# wbinfo -n ARW2008R2+winuser1 failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ARW2008R2+winuser1 ===========================================================
Check was added to preup.sh and the error message points out that it can be disabled by ucs set update32/ignore_samba_trust=yes. Changelog added.
I got the following warnings / errors while upgrading via CLI: Ignoring unknown parameter "server role" Ignoring unknown parameter "server services" Ignoring unknown parameter "tls enabled" Ignoring unknown parameter "tls keyfile" Ignoring unknown parameter "tls certfile" Ignoring unknown parameter "tls cafile" Could not connect to server MASTER206 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE Couldn't connect to domain controller: NT_STATUS_LOGON_FAILURE
> Samba 4.1 currently does not support this, it's better to block the update. I think we should describe that we will change this behavior in an upcoming erratum.
(In reply to Stefan Gohmann from comment #2) > I got the following warnings / errors while upgrading via CLI: The messages are now rerouted to the updater.log file. (In reply to Stefan Gohmann from comment #3) > I think we should describe that we will change this behavior in an upcoming > erratum. A note has been added to the warning message in preup.sh and to the changelog. r46063 univention-updater 9.0.31-3.1228.201311151158 r46064 changelog
OK
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".
For documentation purposes: Bug 33303 has been fixed, preup has been adapted and the changelog entry for this bug has been removed