Univention Bugzilla – Bug 33303
Samba3 trusts Windows does not work in UCS 3.2
Last modified: 2014-02-17 09:28:54 CET
The direction "Samba trusts Windows" does not work. Somehow winbind fails to resolve the remote domain. Tested with UCS 3.2-0 (product tests) against Windows 2008 R2 AD DC. Slave an Meberserver behave only a litte different, but the main result is the same: The trust relation seems to be established successfully, UCS users can log on to the Windows DC, but Samba fails to lookup users of the Windows domain: =========================================================== root@slave42:~# net rpc trustdom list -UAdministrator%univention Trusted domains list: ARW2008R2 S-1-5-21-2993504088-2269847352-917328378 Trusting domains list: ARW2008R2 S-1-5-21-2993504088-2269847352-917328378 root@slave42:~# wbinfo -m BUILTIN AR32I8 ARW2008R2 root@slave42:~# wbinfo --online-status BUILTIN : online AR32I8 : online ARW2008R2 : online root@slave42:~# wbinfo -D ARW2008R2 Name : ARW2008R2 Alt_Name : arw2008r2.qa SID : S-1-5-21-2993504088-2269847352-917328378 Active Directory : Yes Native : Yes Primary : No root@slave42:~# wbinfo --dc-info=ARW2008R2 WIN-125IN6TLA89 (10.200.8.135) root@slave42:~# wbinfo --domain=ARW2008R2 -t checking the trust secret for domain ARW2008R2 via RPC calls succeeded root@slave42:~# wbinfo -n ARW2008R2+Administrator failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ARW2008R2+Administrator root@slave42:~# wbinfo -n ARW2008R2+winuser1 failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ARW2008R2+winuser1 =========================================================== On the Memberserver at least the remote administrator account is resolved successfuly and even authentication works for that account, but for normal users it does not work: =========================================================== root@member43:~# net rpc trustdom list -UAdministrator%univention Trusted domains list: ARW2008R2 S-1-5-21-2993504088-2269847352-917328378 Trusting domains list: ARW2008R2 S-1-5-21-2993504088-2269847352-917328378 root@member43:~# wbinfo -m BUILTIN MEMBER43 AR32I8 ARW2008R2 root@member43:~# wbinfo --online-status BUILTIN : online MEMBER43 : online AR32I8 : online ARW2008R2 : offline root@member43:~# wbinfo -D ARW2008R2 Name : ARW2008R2 Alt_Name : arw2008r2.qa SID : S-1-5-21-2993504088-2269847352-917328378 Active Directory : Yes Native : Yes Primary : No root@member43:~# wbinfo --dc-info=ARW2008R2 WIN-125IN6TLA89 (10.200.8.135) root@member43:~# wbinfo -n ARW2008R2+Administrator S-1-5-21-1376953716-2413384141-3399758289-500 SID_USER (1) root@member43:~# wbinfo -a ARW2008R2+Administrator Enter ARW2008R2+Administrator's password: plaintext password authentication succeeded Enter ARW2008R2+Administrator's password: challenge/response password authentication succeeded root@member43:~# wbinfo -n ARW2008R2+winuser1 failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name ARW2008R2+winuser1 ===========================================================
Created attachment 5607 [details] slave_wbinfo-n-ARW2008R2+Administrator.log
Created attachment 5608 [details] memberserver_wbinfo-n-ARW2008R2+Administrator.log
Created attachment 5609 [details] memberserver_wbinfo-n-ARW2008R2+winuser1.log
Created attachment 5612 [details] master_wbinfo-n-ARW2003R2+winuser1.log It also does not work against Windows 2003 R2. winbind seems to fail during an attempt to contact the Windows LDAP server. If I add its FQDN to /etc/hosts, the procedure continues a bit further and then aborts due to some Kerberos problem. From my point of view, it should not attempt to do Kerberos at all (and probably not even LDAP). It somehow seems to go into an ADS mode and gets stuck on the way.
From analysing the winbind logs I found this crucial difference: * samba3.6.8: get_cache: Setting MS-RPC methods for domain ARW2003R2 * samba4.1.0: get_cache: Setting ADS methods for domain ARW2003R2 I also checked with the source3/winbindd built from Samba 4.0.3, the behaviour is already similar to 4.1.0 (luckily we didn't use it for samba3 domains). Looking into the source code I see that the code path, which leads to the decision to use "ADS methods" to talk to the windows domain, should be blocked by the "[global]" setting "winbind rpc only = yes". And here comes the catch: If this setting is written into /etc/samba/local.conf (as documented in the handbook), winbind does not pick it up. If instead I put that option either into the main smb.conf or at the end of base.conf, then it works. Weird stuff... So, a workaround might be easy, by just fixing Bug 17592. But at some point we should find out the reason why winbind doesn't read the config files properly and if this behaviour might also affect smbd.
*** Bug 17592 has been marked as a duplicate of this bug. ***
Ok, code check confirmed that it was a change in winbind.c, which only evaluates the "[global]" section in Samba 4.0.x and Samba 4.1.0. This activates a code path in source3/param/loadparm.c which only parses parameters in the "[global]" section, ignoring "include" statements that happen to be in other section contexts. A short check showed that smbd doesn't suffer from this. So I fixed Bug 17592 now by introducing a new UCR variable samba/winbind/rpc/only which can be set manually to "yes" for trust replations with AD domains. Advisory: 2013-12-18-univention-samba.yaml We should probably either set this variable in UCS 3.2-0 preup (instead of blocking the update in caases where trust relations are detected) or generally change the default to 'yes'.
I committed an adjusted preup.sh to svn (univention-updater version 9.0.38-4). After publication of this errata the following steps need to be taken: * Sign the new preup.sh and copy it to the local mirror UCS 3.2-0 repository. * Test the update from UCS 3.1-1 to UCS 3.2-0. * Sync the mirror to the online repository.
OK - UCS 3.2 "Samba trusts Windows" works with UCS 3.2 + scope errata3.2-0 and w2k12 (samba/winbind/rpc/only=yes) OK - UCS 3.1 Update UCS 3.1 and w2k3. UCS updated to UCS 3.2 + scope errata3.2-0 (update32/ignore_samba_trust=yes). After setting samba/winbind/rpc/only=yes winbindd lists all w2k3 users. TODO * Sign the new preup.sh and copy it to the local mirror UCS 3.2-0 repository. * Test the update from UCS 3.1-1 to UCS 3.2-0. * Sync the mirror to the online repository. * QA
http://errata.univention.de/ucs/3.2/25.html
Post-Announce Steps: > * Sign the new preup.sh and copy it to the local mirror UCS 3.2-0 repository. This was done now using the following steps: ========================================================================= cp ucs-3.2-0/base/univention-updater/script/preup.sh \ test_mirror/ftp/3.2/maintained/3.2-0/all && \ gpg --local-user 2CBDA4B0 --passphrase-file "$the_archive_key_file" \ --output test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh.gpg.new \ --detach-sign test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh && \ gpg --verify test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh.gpg.new \ test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh && \ mv test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh.gpg.new \ test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh.gpg ========================================================================= TODO: * QA: Test the update from UCS 3.1-1 to UCS 3.2-0. * Copy preup.sh and preup.sh.gpg from test_mirror to mirror. * Sync the mirror to the online repository. * Adjust the Release Notes.
The release notes are updated in SVN but still need to be copied to the repository mirror.
OK: Release notes -> published OK: preup.sh: signed and published to testing and official mirror. OK: update from 3.1-1 to 3.2-0 sets samba/winbind/rpc/only=yes when trust is present (tested with testing and official mirror) -> Verified
This erratum was resolved w/o a fixed package. Marking the bug as closed, so that it doesn't show up in the list of to-be-released packages.