Bug 33342 - Samba3 trusts Windows does not work in UCS 3.2
Samba3 trusts Windows does not work in UCS 3.2
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2
Assigned To: Erik Damrose
Stefan Gohmann
: interim-4
Depends on: 33303
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-13 06:21 CET by Stefan Gohmann
Modified: 2014-02-11 14:08 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2013-11-13 06:21:51 CET
We should recognize the trust in preup.sh and block the upgrade. This should be over writable via UCR. Once Bug #33303 has been fixed, the check can be removed. 

+++ This bug was initially created as a clone of Bug #33303 +++

The direction "Samba trusts Windows" does not work. Somehow winbind fails to resolve the remote domain.

Tested with UCS 3.2-0 (product tests) against Windows 2008 R2 AD DC.

Slave an Meberserver behave only a litte different, but the main result is the same: The trust relation seems to be established successfully, UCS users can log on to the Windows DC, but Samba fails to lookup users of the Windows domain:
===========================================================
root@slave42:~# net rpc trustdom list -UAdministrator%univention
Trusted domains list:

ARW2008R2           S-1-5-21-2993504088-2269847352-917328378

Trusting domains list:

ARW2008R2           S-1-5-21-2993504088-2269847352-917328378
root@slave42:~# wbinfo -m
BUILTIN
AR32I8
ARW2008R2
root@slave42:~# wbinfo --online-status
BUILTIN : online
AR32I8 : online
ARW2008R2 : online
root@slave42:~# wbinfo -D ARW2008R2
Name              : ARW2008R2
Alt_Name          : arw2008r2.qa
SID               : S-1-5-21-2993504088-2269847352-917328378
Active Directory  : Yes
Native            : Yes
Primary           : No
root@slave42:~# wbinfo --dc-info=ARW2008R2
WIN-125IN6TLA89 (10.200.8.135)
root@slave42:~# wbinfo --domain=ARW2008R2 -t
checking the trust secret for domain ARW2008R2 via RPC calls succeeded

root@slave42:~# wbinfo -n ARW2008R2+Administrator
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ARW2008R2+Administrator

root@slave42:~# wbinfo -n ARW2008R2+winuser1
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ARW2008R2+winuser1
===========================================================

On the Memberserver at least the remote administrator account is resolved successfuly and even authentication works for that account, but for normal users it does not work:
===========================================================
root@member43:~# net rpc trustdom list -UAdministrator%univention
Trusted domains list:

ARW2008R2           S-1-5-21-2993504088-2269847352-917328378

Trusting domains list:

ARW2008R2           S-1-5-21-2993504088-2269847352-917328378
root@member43:~# wbinfo -m
BUILTIN
MEMBER43
AR32I8
ARW2008R2
root@member43:~# wbinfo --online-status
BUILTIN : online
MEMBER43 : online
AR32I8 : online
ARW2008R2 : offline
root@member43:~# wbinfo -D ARW2008R2
Name              : ARW2008R2
Alt_Name          : arw2008r2.qa
SID               : S-1-5-21-2993504088-2269847352-917328378
Active Directory  : Yes
Native            : Yes
Primary           : No
root@member43:~# wbinfo --dc-info=ARW2008R2
WIN-125IN6TLA89 (10.200.8.135)

root@member43:~# wbinfo -n ARW2008R2+Administrator
S-1-5-21-1376953716-2413384141-3399758289-500 SID_USER (1)
root@member43:~# wbinfo -a ARW2008R2+Administrator
Enter ARW2008R2+Administrator's password: 
plaintext password authentication succeeded
Enter ARW2008R2+Administrator's password: 
challenge/response password authentication succeeded

root@member43:~# wbinfo -n ARW2008R2+winuser1
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ARW2008R2+winuser1
===========================================================
Comment 1 Arvid Requate univentionstaff 2013-11-13 19:24:16 CET
Check was added to preup.sh and the error message points out that it can be disabled by ucs set update32/ignore_samba_trust=yes.

Changelog added.
Comment 2 Stefan Gohmann univentionstaff 2013-11-14 21:53:21 CET
I got the following warnings / errors while upgrading via CLI:


Ignoring unknown parameter "server role"
Ignoring unknown parameter "server services"
Ignoring unknown parameter "tls enabled"
Ignoring unknown parameter "tls keyfile"
Ignoring unknown parameter "tls certfile"
Ignoring unknown parameter "tls cafile"
Could not connect to server MASTER206
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
Couldn't connect to domain controller: NT_STATUS_LOGON_FAILURE
Comment 3 Stefan Gohmann univentionstaff 2013-11-14 21:56:27 CET
> Samba 4.1 currently does not support this, it's better to block the update.

I think we should describe that we will change this behavior in an upcoming erratum.
Comment 4 Erik Damrose univentionstaff 2013-11-15 12:04:46 CET
(In reply to Stefan Gohmann from comment #2)
> I got the following warnings / errors while upgrading via CLI:

The messages are now rerouted to the updater.log file.

(In reply to Stefan Gohmann from comment #3)
> I think we should describe that we will change this behavior in an upcoming
> erratum.

A note has been added to the warning message in preup.sh and to the changelog.

r46063 univention-updater 9.0.31-3.1228.201311151158
r46064 changelog
Comment 5 Stefan Gohmann univentionstaff 2013-11-17 15:58:50 CET
OK
Comment 6 Stefan Gohmann univentionstaff 2013-11-19 06:44:12 CET
UCS 3.2 has been released:
 http://docs.univention.de/release-notes-3.2-en.html
 http://docs.univention.de/release-notes-3.2-de.html

If this error occurs again, please use "Clone This Bug".
Comment 7 Erik Damrose univentionstaff 2014-02-11 14:08:00 CET
For documentation purposes: Bug 33303 has been fixed, preup has been adapted and the changelog entry for this bug has been removed