Bug 33303 - Samba3 trusts Windows does not work in UCS 3.2
Samba3 trusts Windows does not work in UCS 3.2
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-0-errata
Assigned To: Arvid Requate
Erik Damrose
:
: 17592 (view as bug list)
Depends on: 33873
Blocks: 33342
  Show dependency treegraph
 
Reported: 2013-11-12 12:30 CET by Arvid Requate
Modified: 2014-02-17 09:28 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
slave_wbinfo-n-ARW2008R2+Administrator.log (150.93 KB, text/plain)
2013-11-12 12:31 CET, Arvid Requate
Details
memberserver_wbinfo-n-ARW2008R2+Administrator.log (73.08 KB, text/plain)
2013-11-12 12:32 CET, Arvid Requate
Details
memberserver_wbinfo-n-ARW2008R2+winuser1.log (19.53 KB, text/plain)
2013-11-12 12:32 CET, Arvid Requate
Details
master_wbinfo-n-ARW2003R2+winuser1.log (131.62 KB, text/plain)
2013-11-12 16:27 CET, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2013-11-12 12:30:40 CET
The direction "Samba trusts Windows" does not work. Somehow winbind fails to resolve the remote domain.

Tested with UCS 3.2-0 (product tests) against Windows 2008 R2 AD DC.

Slave an Meberserver behave only a litte different, but the main result is the same: The trust relation seems to be established successfully, UCS users can log on to the Windows DC, but Samba fails to lookup users of the Windows domain:
===========================================================
root@slave42:~# net rpc trustdom list -UAdministrator%univention
Trusted domains list:

ARW2008R2           S-1-5-21-2993504088-2269847352-917328378

Trusting domains list:

ARW2008R2           S-1-5-21-2993504088-2269847352-917328378
root@slave42:~# wbinfo -m
BUILTIN
AR32I8
ARW2008R2
root@slave42:~# wbinfo --online-status
BUILTIN : online
AR32I8 : online
ARW2008R2 : online
root@slave42:~# wbinfo -D ARW2008R2
Name              : ARW2008R2
Alt_Name          : arw2008r2.qa
SID               : S-1-5-21-2993504088-2269847352-917328378
Active Directory  : Yes
Native            : Yes
Primary           : No
root@slave42:~# wbinfo --dc-info=ARW2008R2
WIN-125IN6TLA89 (10.200.8.135)
root@slave42:~# wbinfo --domain=ARW2008R2 -t
checking the trust secret for domain ARW2008R2 via RPC calls succeeded

root@slave42:~# wbinfo -n ARW2008R2+Administrator
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ARW2008R2+Administrator

root@slave42:~# wbinfo -n ARW2008R2+winuser1
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ARW2008R2+winuser1
===========================================================

On the Memberserver at least the remote administrator account is resolved successfuly and even authentication works for that account, but for normal users it does not work:
===========================================================
root@member43:~# net rpc trustdom list -UAdministrator%univention
Trusted domains list:

ARW2008R2           S-1-5-21-2993504088-2269847352-917328378

Trusting domains list:

ARW2008R2           S-1-5-21-2993504088-2269847352-917328378
root@member43:~# wbinfo -m
BUILTIN
MEMBER43
AR32I8
ARW2008R2
root@member43:~# wbinfo --online-status
BUILTIN : online
MEMBER43 : online
AR32I8 : online
ARW2008R2 : offline
root@member43:~# wbinfo -D ARW2008R2
Name              : ARW2008R2
Alt_Name          : arw2008r2.qa
SID               : S-1-5-21-2993504088-2269847352-917328378
Active Directory  : Yes
Native            : Yes
Primary           : No
root@member43:~# wbinfo --dc-info=ARW2008R2
WIN-125IN6TLA89 (10.200.8.135)

root@member43:~# wbinfo -n ARW2008R2+Administrator
S-1-5-21-1376953716-2413384141-3399758289-500 SID_USER (1)
root@member43:~# wbinfo -a ARW2008R2+Administrator
Enter ARW2008R2+Administrator's password: 
plaintext password authentication succeeded
Enter ARW2008R2+Administrator's password: 
challenge/response password authentication succeeded

root@member43:~# wbinfo -n ARW2008R2+winuser1
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ARW2008R2+winuser1
===========================================================
Comment 1 Arvid Requate univentionstaff 2013-11-12 12:31:39 CET
Created attachment 5607 [details]
slave_wbinfo-n-ARW2008R2+Administrator.log
Comment 2 Arvid Requate univentionstaff 2013-11-12 12:32:05 CET
Created attachment 5608 [details]
memberserver_wbinfo-n-ARW2008R2+Administrator.log
Comment 3 Arvid Requate univentionstaff 2013-11-12 12:32:31 CET
Created attachment 5609 [details]
memberserver_wbinfo-n-ARW2008R2+winuser1.log
Comment 4 Arvid Requate univentionstaff 2013-11-12 16:27:10 CET
Created attachment 5612 [details]
master_wbinfo-n-ARW2003R2+winuser1.log

It also does not work against Windows 2003 R2.

winbind seems to fail during an attempt to contact the Windows LDAP server. If I add its FQDN to /etc/hosts, the procedure continues a bit further and then aborts due to some Kerberos problem. From my point of view, it should not attempt to do Kerberos at all (and probably not even LDAP). It somehow seems to go into an ADS mode and gets stuck on the way.
Comment 5 Arvid Requate univentionstaff 2013-12-17 19:19:36 CET
From analysing the winbind logs I found this crucial difference:

* samba3.6.8:   get_cache: Setting MS-RPC methods for domain ARW2003R2
* samba4.1.0:   get_cache: Setting ADS methods for domain ARW2003R2

I also checked with the source3/winbindd built from Samba 4.0.3, the behaviour is already similar to 4.1.0 (luckily we didn't use it for samba3 domains).

Looking into the source code I see that the code path, which leads to the decision to use "ADS methods" to talk to the windows domain, should be blocked by the "[global]" setting "winbind rpc only = yes". And here comes the catch:
If this setting is written into /etc/samba/local.conf (as documented in the handbook), winbind does not pick it up. If instead I put that option either into the main smb.conf   or at the end of   base.conf, then it works. Weird stuff...

So, a workaround might be easy, by just fixing Bug 17592.
But at some point we should find out the reason why winbind doesn't read the config files properly and if this behaviour might also affect smbd.
Comment 6 Arvid Requate univentionstaff 2013-12-18 13:46:42 CET
*** Bug 17592 has been marked as a duplicate of this bug. ***
Comment 7 Arvid Requate univentionstaff 2013-12-18 14:24:38 CET
Ok, code check confirmed that it was a change in winbind.c, which only evaluates the "[global]" section in Samba 4.0.x and Samba 4.1.0. This activates a code path in source3/param/loadparm.c which only parses parameters in the "[global]" section, ignoring "include" statements that happen to be in other section contexts. A short check showed that smbd doesn't suffer from this.

So I fixed Bug 17592 now by introducing a new UCR variable
  samba/winbind/rpc/only
which can be set manually to "yes" for trust replations with AD domains.

Advisory: 2013-12-18-univention-samba.yaml

We should probably either set this variable in UCS 3.2-0 preup (instead of blocking the update in caases where trust relations are detected) or generally change the default to 'yes'.
Comment 8 Arvid Requate univentionstaff 2013-12-18 16:41:58 CET
I committed an adjusted preup.sh to svn (univention-updater version 9.0.38-4).
After publication of this errata the following steps need to be taken:

* Sign the new preup.sh and copy it to the local mirror UCS 3.2-0 repository.
* Test the update from UCS 3.1-1 to UCS 3.2-0.
* Sync the mirror to the online repository.
Comment 9 Felix Botner univentionstaff 2014-01-08 14:04:21 CET
OK - UCS 3.2

"Samba trusts Windows" works with UCS 3.2 + scope errata3.2-0 and w2k12 (samba/winbind/rpc/only=yes)

OK - UCS 3.1 Update

UCS 3.1 and w2k3. UCS updated to UCS 3.2 + scope errata3.2-0 (update32/ignore_samba_trust=yes). After setting samba/winbind/rpc/only=yes winbindd lists all w2k3 users.

TODO


* Sign the new preup.sh and copy it to the local mirror UCS 3.2-0 repository.
* Test the update from UCS 3.1-1 to UCS 3.2-0.
* Sync the mirror to the online repository.

* QA
Comment 10 Moritz Muehlenhoff univentionstaff 2014-01-22 11:52:17 CET
http://errata.univention.de/ucs/3.2/25.html
Comment 11 Arvid Requate univentionstaff 2014-01-22 12:32:11 CET
Post-Announce Steps:

> * Sign the new preup.sh and copy it to the local mirror UCS 3.2-0 repository.

This was done now using the following steps:
=========================================================================
cp ucs-3.2-0/base/univention-updater/script/preup.sh \
   test_mirror/ftp/3.2/maintained/3.2-0/all && \
gpg --local-user 2CBDA4B0 --passphrase-file "$the_archive_key_file" \
    --output test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh.gpg.new \
    --detach-sign test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh && \
gpg --verify test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh.gpg.new \
    test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh && \
mv test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh.gpg.new \
   test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh.gpg
=========================================================================

TODO:
* QA: Test the update from UCS 3.1-1 to UCS 3.2-0.
* Copy preup.sh and preup.sh.gpg from test_mirror to mirror.
* Sync the mirror to the online repository.
* Adjust the Release Notes.
Comment 12 Arvid Requate univentionstaff 2014-02-10 18:32:02 CET
The release notes are updated in SVN but still need to be copied to the repository mirror.
Comment 13 Erik Damrose univentionstaff 2014-02-11 13:47:05 CET
OK: Release notes -> published
OK: preup.sh: signed and published to testing and official mirror.
OK: update from 3.1-1 to 3.2-0 sets samba/winbind/rpc/only=yes when trust is present (tested with testing and official mirror)

-> Verified
Comment 14 Moritz Muehlenhoff univentionstaff 2014-02-17 09:28:54 CET
This erratum was resolved w/o a fixed package. Marking the bug as closed, so
that it doesn't show up in the list of to-be-released packages.