Unable to authenticate the trusted(external trust) domain users.

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to authenticate the trusted(external trust) domain users.

Samba - samba-technical mailing list
Hello All,

We are using samba 4.3.11 stack. And currently, we are facing an issue with authenticating trusted(External trust) domain users. Child trust domains is working fine.
Session setup is actually failing with STATUS_UNSUCCESSFUL.

Looking at winbindd logs, found that we are unable to bring the specific domain online. And the attempt to connect to trusted domain DC is failing with internal error.

….

[2017/05/04 23:59:56.360862,  5, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)

  Starting GENSEC submechanism gse_krb5

[2017/05/04 23:59:56.361007,  3, pid=24430, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:2502(kerberos_get_principal_from_service_hostname)

  kerberos_get_principal_from_service_hostname: cannot get realm from, desthost 2012dc1.minerva-2012d.com or default ccache. Using default smb.conf realm AUTOMATION.NUTANIX.COM

[2017/05/04 23:59:56.468892,  1, pid=24430, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse.c:340(gse_get_client_auth_token)

  gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Server not found in Kerberos database]

[2017/05/04 23:59:56.468998,  1, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)

  SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR

[2017/05/04 23:59:56.469060, 10, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:672(gensec_spnego_create_negTokenInit)

  Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR

[2017/05/04 23:59:56.469097, 10, pid=24430, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:761(ads_sasl_spnego_bind)

  ads_sasl_spnego_gensec_bind(KRB5) failed with: An internal error occurred., calling kinit

[2017/05/04 23:59:56.469172, 10, pid=24430, effective(0, 0), real(0, 0)] ../source3/libads/kerberos.c:217(kerberos_kinit_password_ext)

  kerberos_kinit_password: as CUSTOMER$@AUTOMATION.NUTANIX.COM using [MEMORY:winbind_ccache] as ccache and config [(null)]

[2017/05/04 23:59:56.579211,  5, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)

  Starting GENSEC mechanism spnego

[2017/05/04 23:59:56.579328,  5, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)

  Starting GENSEC submechanism gse_krb5

[2017/05/04 23:59:56.579410,  3, pid=24430, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:2502(kerberos_get_principal_from_service_hostname)

  kerberos_get_principal_from_service_hostname: cannot get realm from, desthost 2012dc1.minerva-2012d.com or default ccache. Using default smb.conf realm AUTOMATION.NUTANIX.COM

[2017/05/04 23:59:56.667456,  1, pid=24430, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse.c:340(gse_get_client_auth_token)

  gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Server not found in Kerberos database]

[2017/05/04 23:59:56.667521,  1, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)

  SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR

[2017/05/04 23:59:56.667588, 10, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:672(gensec_spnego_create_negTokenInit)

  Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR

[2017/05/04 23:59:56.667625,  0, pid=24430, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:773(ads_sasl_spnego_bind)

  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.

[2017/05/04 23:59:56.667814,  1, pid=24430, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)

  ads_connect for domain MINERVA_2012D failed: An internal error occurred.

[2017/05/04 23:59:56.667901, 10, pid=24430, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:575(refresh_sequence_number)

  refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL

[2017/05/04 23:59:56.667960, 10, pid=24430, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:500(wcache_store_seqnum)

  wcache_store_seqnum: success [MINERVA_2012D][4294967295 @ 1493967596]

[2017/05/04 23:59:56.668002, 10, pid=24430, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:587(refresh_sequence_number)

  refresh_sequence_number: MINERVA_2012D seq number is now -1

[2017/05/04 23:59:56.668025,  1, pid=24430, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)

       wbint_QueryUser: struct wbint_QueryUser

          out: struct wbint_QueryUser

              info                     : *

                  info: struct wbint_userinfo

                      acct_name                : NULL

                      full_name                : NULL

                      homedir                  : NULL

                      shell                    : NULL

                      primary_gid              : 0x0000000000000000 (0)

                      user_sid                 : S-0-0

                      group_sid                : S-0-0

              result                   : NT_STATUS_UNSUCCESSFUL

….

Packet capture on trusted domain DC shows that, samba has closed the socket after negotiation response from client. From the above logs, it shows that we have trouble in doing the session setup request. DNS was setup properly and samba server is able to lookup the trusted domain Dcs.

Any pointers here to know what could have caused the ads connect errors?

Thanks,
Hemanth.

Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate the trusted(external trust) domain users.

Samba - samba-technical mailing list
On Fri, May 5, 2017 at 2:08 AM, Hemanth Thummala via samba-technical
<[hidden email]> wrote:

> Hello All,
>
> We are using samba 4.3.11 stack. And currently, we are facing an issue with authenticating trusted(External trust) domain users. Child trust domains is working fine.
> Session setup is actually failing with STATUS_UNSUCCESSFUL.
>
> Looking at winbindd logs, found that we are unable to bring the specific domain online. And the attempt to connect to trusted domain DC is failing with internal error.
>
> ….
>
> [2017/05/04 23:59:56.360862,  5, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
>
>   Starting GENSEC submechanism gse_krb5
>
> [2017/05/04 23:59:56.361007,  3, pid=24430, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:2502(kerberos_get_principal_from_service_hostname)
>
>   kerberos_get_principal_from_service_hostname: cannot get realm from, desthost 2012dc1.minerva-2012d.com or default ccache. Using default smb.conf realm AUTOMATION.NUTANIX.COM
>
> [2017/05/04 23:59:56.468892,  1, pid=24430, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse.c:340(gse_get_client_auth_token)
>
>   gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Server not found in Kerberos database]
>
> [2017/05/04 23:59:56.468998,  1, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)
>
>   SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
>
> [2017/05/04 23:59:56.469060, 10, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:672(gensec_spnego_create_negTokenInit)
>
>   Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
>
> [2017/05/04 23:59:56.469097, 10, pid=24430, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:761(ads_sasl_spnego_bind)
>
>   ads_sasl_spnego_gensec_bind(KRB5) failed with: An internal error occurred., calling kinit
>
> [2017/05/04 23:59:56.469172, 10, pid=24430, effective(0, 0), real(0, 0)] ../source3/libads/kerberos.c:217(kerberos_kinit_password_ext)
>
>   kerberos_kinit_password: as CUSTOMER$@AUTOMATION.NUTANIX.COM using [MEMORY:winbind_ccache] as ccache and config [(null)]
>
> [2017/05/04 23:59:56.579211,  5, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
>
>   Starting GENSEC mechanism spnego
>
> [2017/05/04 23:59:56.579328,  5, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:680(gensec_start_mech)
>
>   Starting GENSEC submechanism gse_krb5
>
> [2017/05/04 23:59:56.579410,  3, pid=24430, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:2502(kerberos_get_principal_from_service_hostname)
>
>   kerberos_get_principal_from_service_hostname: cannot get realm from, desthost 2012dc1.minerva-2012d.com or default ccache. Using default smb.conf realm AUTOMATION.NUTANIX.COM
>
> [2017/05/04 23:59:56.667456,  1, pid=24430, effective(0, 0), real(0, 0)] ../source3/librpc/crypto/gse.c:340(gse_get_client_auth_token)
>
>   gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Server not found in Kerberos database]
>
> [2017/05/04 23:59:56.667521,  1, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)
>
>   SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
>
> [2017/05/04 23:59:56.667588, 10, pid=24430, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:672(gensec_spnego_create_negTokenInit)
>
>   Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
>
> [2017/05/04 23:59:56.667625,  0, pid=24430, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
>
>   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
>
> [2017/05/04 23:59:56.667814,  1, pid=24430, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
>
>   ads_connect for domain MINERVA_2012D failed: An internal error occurred.
>
> [2017/05/04 23:59:56.667901, 10, pid=24430, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:575(refresh_sequence_number)
>
>   refresh_sequence_number: failed with NT_STATUS_UNSUCCESSFUL
>
> [2017/05/04 23:59:56.667960, 10, pid=24430, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:500(wcache_store_seqnum)
>
>   wcache_store_seqnum: success [MINERVA_2012D][4294967295 @ 1493967596]
>
> [2017/05/04 23:59:56.668002, 10, pid=24430, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:587(refresh_sequence_number)
>
>   refresh_sequence_number: MINERVA_2012D seq number is now -1
>
> [2017/05/04 23:59:56.668025,  1, pid=24430, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
>
>        wbint_QueryUser: struct wbint_QueryUser
>
>           out: struct wbint_QueryUser
>
>               info                     : *
>
>                   info: struct wbint_userinfo
>
>                       acct_name                : NULL
>
>                       full_name                : NULL
>
>                       homedir                  : NULL
>
>                       shell                    : NULL
>
>                       primary_gid              : 0x0000000000000000 (0)
>
>                       user_sid                 : S-0-0
>
>                       group_sid                : S-0-0
>
>               result                   : NT_STATUS_UNSUCCESSFUL
>
> ….
>
> Packet capture on trusted domain DC shows that, samba has closed the socket after negotiation response from client. From the above logs, it shows that we have trouble in doing the session setup request. DNS was setup properly and samba server is able to lookup the trusted domain Dcs.
>
> Any pointers here to know what could have caused the ads connect errors?
>
> Thanks,
> Hemanth.
>

While looking at that stack trace makes me think that this isn't the
problem, I'll throw it out there on the low chance that it caused the
conditions that this is the effect of - are the clocks on all of the
machines fairly in sync?  Kerberos is fairly time sensitive and I've
had a wandering clock on a VM cause issues until I made it practice to
have an NTP server on site that's handed off in DHCP to keep all of
the clocks from drifting enough that kinit would fail from time to
time.  Low chance this is your underlying issue, but it's also low
effort to check/correct.

--
Peace and Blessings,
-Scott.

Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate the trusted(external trust) domain users.

Samba - samba-technical mailing list
Hi Scott,

We have actually found the clock skew problem on the same DC. And the error that time was more informative.

[2017/05/04 19:37:35.081722,  0, pid=118359, effective(0, 0), real(0, 0)] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
  kerberos_kinit_password NUTEST875651$@AUTOMATION.NUTANIX.COM failed: Clock skew too great
[2017/05/04 19:37:35.081901,  1, pid=118359, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
  ads_connect for domain MINERVA_QA-2-- failed: Clock skew too great


After fixing the clock skew, error become “Internal error”

[2017/05/04 20:04:48.526788,  1, pid=140452, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)
  SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
[2017/05/04 20:04:48.526877, 10, pid=140452, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:672(gensec_spnego_create_negTokenInit)
  Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
[2017/05/04 20:04:48.526907,  0, pid=140452, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
[2017/05/04 20:04:48.526971,  1, pid=140452, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
  ads_connect for domain MINERVA_QA-2-- failed: An internal error occurred.


As you can see from the log, kinit is actually succeeded. But, ads_sasl_spnego_gensec_bind() is failed.

Thanks,
Hemanth.



On 5/5/17, 12:52 AM, "Scott Lovenberg" <[hidden email]> wrote:

>>Any pointers here to know what could have caused the ads connect errors?
>>
>>Thanks,
>>Hemanth.
>>
>
>While looking at that stack trace makes me think that this isn't the
>problem, I'll throw it out there on the low chance that it caused the
>conditions that this is the effect of - are the clocks on all of the
>machines fairly in sync?  Kerberos is fairly time sensitive and I've
>had a wandering clock on a VM cause issues until I made it practice to
>have an NTP server on site that's handed off in DHCP to keep all of
>the clocks from drifting enough that kinit would fail from time to
>time.  Low chance this is your underlying issue, but it's also low
>effort to check/correct.
>
>--
>Peace and Blessings,
>-Scott.
>
Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate the trusted(external trust) domain users.

Samba - samba-technical mailing list
Interestingly, wbinfo -a works for the trusted domain users.

From winbindd logs, I could see that the RPC “NetrSamLogon” request is being made to the local domain DC which in turn talking to the remote DC. There was no direct connection made to trusted domain.

Whereas, using smbclient or regular windows client access workflow, we are trying to establish session with remote trusted DC which is failing with internal error.

Thanks,

Hemanth.

On 5/5/17, 10:24 AM, "Hemanth Thummala" <[hidden email]> wrote:

>Hi Scott,
>
>We have actually found the clock skew problem on the same DC. And the error that time was more informative.
>
>[2017/05/04 19:37:35.081722,  0, pid=118359, effective(0, 0), real(0, 0)] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
>  kerberos_kinit_password NUTEST875651$@AUTOMATION.NUTANIX.COM failed: Clock skew too great
>[2017/05/04 19:37:35.081901,  1, pid=118359, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
>  ads_connect for domain MINERVA_QA-2-- failed: Clock skew too great
>
>
>After fixing the clock skew, error become “Internal error”
>
>[2017/05/04 20:04:48.526788,  1, pid=140452, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)
>  SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
>[2017/05/04 20:04:48.526877, 10, pid=140452, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:672(gensec_spnego_create_negTokenInit)
>  Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
>[2017/05/04 20:04:48.526907,  0, pid=140452, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
>  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
>[2017/05/04 20:04:48.526971,  1, pid=140452, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
>  ads_connect for domain MINERVA_QA-2-- failed: An internal error occurred.
>
>
>As you can see from the log, kinit is actually succeeded. But, ads_sasl_spnego_gensec_bind() is failed.
>
>Thanks,
>Hemanth.
>
>
>
>On 5/5/17, 12:52 AM, "Scott Lovenberg" <[hidden email]> wrote:
>
>>>Any pointers here to know what could have caused the ads connect errors?
>>>
>>>Thanks,
>>>Hemanth.
>>>
>>
>>While looking at that stack trace makes me think that this isn't the
>>problem, I'll throw it out there on the low chance that it caused the
>>conditions that this is the effect of - are the clocks on all of the
>>machines fairly in sync?  Kerberos is fairly time sensitive and I've
>>had a wandering clock on a VM cause issues until I made it practice to
>>have an NTP server on site that's handed off in DHCP to keep all of
>>the clocks from drifting enough that kinit would fail from time to
>>time.  Low chance this is your underlying issue, but it's also low
>>effort to check/correct.
>>
>>--
>>Peace and Blessings,
>>-Scott.
>>
Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate the trusted(external trust) domain users.

Samba - samba-technical mailing list
Looks like the authentication issue is specific to external trust.
If I change the trust type for the same domain from “Extrenal” to “Forest”, authentication goes though fine.

Following error doesn’t seem to be occurring when the trust type is changed to “Forest”
gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: Server not found in Kerberos database]


Thanks,
Hemanth.




On 5/5/17, 11:24 AM, "Hemanth Thummala" <[hidden email]> wrote:

>Interestingly, wbinfo -a works for the trusted domain users.
>
>From winbindd logs, I could see that the RPC “NetrSamLogon” request is being made to the local domain DC which in turn talking to the remote DC. There was no direct connection made to trusted domain.
>
>Whereas, using smbclient or regular windows client access workflow, we are trying to establish session with remote trusted DC which is failing with internal error.
>
>Thanks,
>
>Hemanth.
>
>On 5/5/17, 10:24 AM, "Hemanth Thummala" <[hidden email]> wrote:
>
>>Hi Scott,
>>
>>We have actually found the clock skew problem on the same DC. And the error that time was more informative.
>>
>>[2017/05/04 19:37:35.081722,  0, pid=118359, effective(0, 0), real(0, 0)] ../source3/libads/kerberos_util.c:74(ads_kinit_password)
>>  kerberos_kinit_password NUTEST875651$@AUTOMATION.NUTANIX.COM failed: Clock skew too great
>>[2017/05/04 19:37:35.081901,  1, pid=118359, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
>>  ads_connect for domain MINERVA_QA-2-- failed: Clock skew too great
>>
>>
>>After fixing the clock skew, error become “Internal error”
>>
>>[2017/05/04 20:04:48.526788,  1, pid=140452, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:619(gensec_spnego_create_negTokenInit)
>>  SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
>>[2017/05/04 20:04:48.526877, 10, pid=140452, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:672(gensec_spnego_create_negTokenInit)
>>  Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
>>[2017/05/04 20:04:48.526907,  0, pid=140452, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
>>  kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred.
>>[2017/05/04 20:04:48.526971,  1, pid=140452, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:136(ads_cached_connection_connect)
>>  ads_connect for domain MINERVA_QA-2-- failed: An internal error occurred.
>>
>>
>>As you can see from the log, kinit is actually succeeded. But, ads_sasl_spnego_gensec_bind() is failed.
>>
>>Thanks,
>>Hemanth.
>>
>>
>>
>>On 5/5/17, 12:52 AM, "Scott Lovenberg" <[hidden email]> wrote:
>>
>>>>Any pointers here to know what could have caused the ads connect errors?
>>>>
>>>>Thanks,
>>>>Hemanth.
>>>>
>>>
>>>While looking at that stack trace makes me think that this isn't the
>>>problem, I'll throw it out there on the low chance that it caused the
>>>conditions that this is the effect of - are the clocks on all of the
>>>machines fairly in sync?  Kerberos is fairly time sensitive and I've
>>>had a wandering clock on a VM cause issues until I made it practice to
>>>have an NTP server on site that's handed off in DHCP to keep all of
>>>the clocks from drifting enough that kinit would fail from time to
>>>time.  Low chance this is your underlying issue, but it's also low
>>>effort to check/correct.
>>>
>>>--
>>>Peace and Blessings,
>>>-Scott.
>>>
Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate the trusted(external trust) domain users.

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Friday, 5 May 2017 09:08:29 CEST Hemanth Thummala via samba-technical
wrote:
> Hello All,
>
> We are using samba 4.3.11 stack. And currently, we are facing an issue with
> authenticating trusted(External trust) domain users. Child trust domains is
> working fine.
 Session setup is actually failing with STATUS_UNSUCCESSFUL.
>
> Looking at winbindd logs, found that we are unable to bring the specific
> domain online. And the attempt to connect to trusted domain DC is failing
> with internal error.

This is fixed with Samba 4.6.


--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate the trusted(external trust) domain users.

Samba - samba-technical mailing list
Hi Andreas,
Thank you for the response. I could actually see a patch specifically meant to address the external trusts(https://bugzilla.samba.org/show_bug.cgi?id=12554).
I will go through the required patch list and update you.

Regards,
Hemanth.



On 5/8/17, 2:13 AM, "Andreas Schneider" <[hidden email]> wrote:

>On Friday, 5 May 2017 09:08:29 CEST Hemanth Thummala via samba-technical
>wrote:
>> Hello All,
>>
>> We are using samba 4.3.11 stack. And currently, we are facing an issue with
>> authenticating trusted(External trust) domain users. Child trust domains is
>> working fine.
> Session setup is actually failing with STATUS_UNSUCCESSFUL.
>>
>> Looking at winbindd logs, found that we are unable to bring the specific
>> domain online. And the attempt to connect to trusted domain DC is failing
>> with internal error.
>
>This is fixed with Samba 4.6.
>
>
>--
>Andreas Schneider                   GPG-ID: CC014E3D
>Samba Team                             [hidden email]
>www.samba.org
Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate the trusted(external trust) domain users.

Samba - samba-technical mailing list
On Monday, 8 May 2017 18:17:11 CEST Hemanth Thummala wrote:
> Hi Andreas,
> Thank you for the response. I could actually see a patch specifically meant
> to address the external
> trusts(https://bugzilla.samba.org/show_bug.cgi?id=12554).
 I will go
> through the required patch list and update you.
>
> Regards,
> Hemanth.
>

Well this is just gensec, there are probably roughly a hundred patches
covering winbind and libsmb in Samba 4.6 which fix trusted domains. It starts
with passing down cli_credentials correctly and ends with fixing user lookups
in winbind.



        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|

Re: Unable to authenticate the trusted(external trust) domain users.

Samba - samba-technical mailing list
Hi Andreas,

Actually the patch(https://attachments.samba.org/attachment.cgi?id=12986) made for issue Bug 12598 <https://bugzilla.samba.org/show_bug.cgi?id=12598> resolved the trust issue for us. What I understood my earlier debugging is that the client side piece was always using kerberos without fallback approach to NTLMSSP to connect to remote trusted domain DCs . I think this gets addressed by this patch specifically.We have unit tested all the trust scenarios. Things are looking good. But, we would like to know if there will any dependency issues that you would like to share with just taking this patch.

We are definitely planning to upgrade to 4.6.2. Its just that we are waiting for a release which can fit good test cycle.

Thank you for the help.

Regards,
Hemanth.




On 5/8/17, 9:30 AM, "Andreas Schneider" <[hidden email]> wrote:

>On Monday, 8 May 2017 18:17:11 CEST Hemanth Thummala wrote:
>> Hi Andreas,
>> Thank you for the response. I could actually see a patch specifically meant
>> to address the external
>> trusts(https://bugzilla.samba.org/show_bug.cgi?id=12554).
> I will go
>> through the required patch list and update you.
>>
>> Regards,
>> Hemanth.
>>
>
>Well this is just gensec, there are probably roughly a hundred patches
>covering winbind and libsmb in Samba 4.6 which fix trusted domains. It starts
>with passing down cli_credentials correctly and ends with fixing user lookups
>in winbind.
>
>
>
> Andreas
>
>--
>Andreas Schneider                   GPG-ID: CC014E3D
>Samba Team                             [hidden email]
>www.samba.org