Bug 33303
| Summary: | Samba3 trusts Windows does not work in UCS 3.2 | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Arvid Requate <requate> |
| Component: | Samba | Assignee: | Arvid Requate <requate> |
| Status: | CLOSED FIXED | QA Contact: | Erik Damrose <damrose> |
| Severity: | normal | ||
| Priority: | P5 | CC: | gohmann, jmm, walkenhorst |
| Version: | UCS 3.2 | ||
| Target Milestone: | UCS 3.2-0-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | --- | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
| Bug Depends on: | 33873 | ||
| Bug Blocks: | 33342 | ||
| Attachments: |
slave_wbinfo-n-ARW2008R2+Administrator.log
memberserver_wbinfo-n-ARW2008R2+Administrator.log memberserver_wbinfo-n-ARW2008R2+winuser1.log master_wbinfo-n-ARW2003R2+winuser1.log |
||
|
Description
Arvid Requate
Created attachment 5607 [details]
slave_wbinfo-n-ARW2008R2+Administrator.log
Created attachment 5608 [details]
memberserver_wbinfo-n-ARW2008R2+Administrator.log
Created attachment 5609 [details]
memberserver_wbinfo-n-ARW2008R2+winuser1.log
Created attachment 5612 [details]
master_wbinfo-n-ARW2003R2+winuser1.log
It also does not work against Windows 2003 R2.
winbind seems to fail during an attempt to contact the Windows LDAP server. If I add its FQDN to /etc/hosts, the procedure continues a bit further and then aborts due to some Kerberos problem. From my point of view, it should not attempt to do Kerberos at all (and probably not even LDAP). It somehow seems to go into an ADS mode and gets stuck on the way.
From analysing the winbind logs I found this crucial difference: * samba3.6.8: get_cache: Setting MS-RPC methods for domain ARW2003R2 * samba4.1.0: get_cache: Setting ADS methods for domain ARW2003R2 I also checked with the source3/winbindd built from Samba 4.0.3, the behaviour is already similar to 4.1.0 (luckily we didn't use it for samba3 domains). Looking into the source code I see that the code path, which leads to the decision to use "ADS methods" to talk to the windows domain, should be blocked by the "[global]" setting "winbind rpc only = yes". And here comes the catch: If this setting is written into /etc/samba/local.conf (as documented in the handbook), winbind does not pick it up. If instead I put that option either into the main smb.conf or at the end of base.conf, then it works. Weird stuff... So, a workaround might be easy, by just fixing Bug 17592. But at some point we should find out the reason why winbind doesn't read the config files properly and if this behaviour might also affect smbd. *** Bug 17592 has been marked as a duplicate of this bug. *** Ok, code check confirmed that it was a change in winbind.c, which only evaluates the "[global]" section in Samba 4.0.x and Samba 4.1.0. This activates a code path in source3/param/loadparm.c which only parses parameters in the "[global]" section, ignoring "include" statements that happen to be in other section contexts. A short check showed that smbd doesn't suffer from this. So I fixed Bug 17592 now by introducing a new UCR variable samba/winbind/rpc/only which can be set manually to "yes" for trust replations with AD domains. Advisory: 2013-12-18-univention-samba.yaml We should probably either set this variable in UCS 3.2-0 preup (instead of blocking the update in caases where trust relations are detected) or generally change the default to 'yes'. I committed an adjusted preup.sh to svn (univention-updater version 9.0.38-4). After publication of this errata the following steps need to be taken: * Sign the new preup.sh and copy it to the local mirror UCS 3.2-0 repository. * Test the update from UCS 3.1-1 to UCS 3.2-0. * Sync the mirror to the online repository. OK - UCS 3.2 "Samba trusts Windows" works with UCS 3.2 + scope errata3.2-0 and w2k12 (samba/winbind/rpc/only=yes) OK - UCS 3.1 Update UCS 3.1 and w2k3. UCS updated to UCS 3.2 + scope errata3.2-0 (update32/ignore_samba_trust=yes). After setting samba/winbind/rpc/only=yes winbindd lists all w2k3 users. TODO * Sign the new preup.sh and copy it to the local mirror UCS 3.2-0 repository. * Test the update from UCS 3.1-1 to UCS 3.2-0. * Sync the mirror to the online repository. * QA Post-Announce Steps:
> * Sign the new preup.sh and copy it to the local mirror UCS 3.2-0 repository.
This was done now using the following steps:
=========================================================================
cp ucs-3.2-0/base/univention-updater/script/preup.sh \
test_mirror/ftp/3.2/maintained/3.2-0/all && \
gpg --local-user 2CBDA4B0 --passphrase-file "$the_archive_key_file" \
--output test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh.gpg.new \
--detach-sign test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh && \
gpg --verify test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh.gpg.new \
test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh && \
mv test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh.gpg.new \
test_mirror/ftp/3.2/maintained/3.2-0/all/preup.sh.gpg
=========================================================================
TODO:
* QA: Test the update from UCS 3.1-1 to UCS 3.2-0.
* Copy preup.sh and preup.sh.gpg from test_mirror to mirror.
* Sync the mirror to the online repository.
* Adjust the Release Notes.
The release notes are updated in SVN but still need to be copied to the repository mirror. OK: Release notes -> published OK: preup.sh: signed and published to testing and official mirror. OK: update from 3.1-1 to 3.2-0 sets samba/winbind/rpc/only=yes when trust is present (tested with testing and official mirror) -> Verified This erratum was resolved w/o a fixed package. Marking the bug as closed, so that it doesn't show up in the list of to-be-released packages. |