Web lists-archives.com

[Samba] winbind errors for trusted domain (of a one-way trust)




Hi,

Our AD domain "A.COM" has a one-way trust with "B.COM" with B.COM being
the trusted domain.

We have a samba server that is joined to A.COM on which users of B.COM
need access. We have samba and winbind configured and it seems to be
working correctly except for the following message that keeps on
appearing in the log.wb-B logfile:

[2017/05/04 14:42:53.727050,  0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
  gss_init_sec_context failed with [Unspecified GSS failure.  Minor code
may provide more information: Server not found in Kerberos database]
(

I've increased the log level of winbindd to 8 and it shows the following
output (sensored to have the domain names replaced):

[2017/05/04 13:09:53.876940,  5]
../source3/lib/messages.c:449(messaging_register)
  Registering messaging pointer for type 1030 - private_data=(nil)
[2017/05/04 13:09:53.877003,  5]
../source3/lib/messages.c:464(messaging_register)
  Overriding messaging pointer for type 1030 - private_data=(nil)
[2017/05/04 13:09:53.877026,  5]
../source3/lib/messages.c:449(messaging_register)
  Registering messaging pointer for type 1031 - private_data=(nil)
[2017/05/04 13:09:53.877045,  5]
../source3/lib/messages.c:464(messaging_register)
  Overriding messaging pointer for type 1031 - private_data=(nil)
[2017/05/04 13:09:54.028815,  5]
../source3/winbindd/winbindd_cm.c:160(msg_try_to_go_online)
  msg_try_to_go_online: received for domain B.
[2017/05/04 13:09:54.028858,  3]
../source3/winbindd/winbindd_cm.c:2125(connection_ok)
  connection_ok: Connection to DC2.b.com for domain B is not connected
[2017/05/04 13:09:54.028912,  5]
../source3/libsmb/namequery.c:210(saf_fetch)
  saf_fetch: failed to find server for "B" domain
[2017/05/04 13:09:54.029028,  5]
../source3/rpc_client/cli_pipe.c:826(rpc_api_pipe_send)
  rpc_api_pipe: host dc1.a.com
[2017/05/04 13:09:54.029070,  5]
../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu)
  signed SMB2 message
[2017/05/04 13:09:54.029782,  5]
../source3/rpc_client/cli_pipe.c:98(rpc_read_send)
  rpc_read_send: data_to_read: 456
[2017/05/04 13:09:54.029841,  6]
../librpc/rpc/dcerpc_util.c:173(dcerpc_pull_auth_trailer)
  ../librpc/rpc/dcerpc_util.c:173: auth_pad_length 0
[2017/05/04 13:09:54.029981,  5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
  sitename_fetch: Returning sitename for A.COM: "Default-First-Site-Name"
[2017/05/04 13:09:54.030009,  5]
../source3/libsmb/namecache.c:165(namecache_fetch)
  name DC2.b.com#20 found.
[2017/05/04 13:09:54.030047,  5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
  sitename_fetch: Returning sitename for b.com: "Default-First-Site-Name"
[2017/05/04 13:09:54.030064,  4]
../source3/libsmb/namequery_dc.c:77(ads_dc_name)
  ads_dc_name: domain=B
[2017/05/04 13:09:54.030086,  5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
  sitename_fetch: Returning sitename for b.com: "Default-First-Site-Name"
[2017/05/04 13:09:54.030101,  6]
../source3/libads/ldap.c:409(resolve_and_ping_dns)
  resolve_and_ping_dns: (cldap) looking for realm 'b.com'
[2017/05/04 13:09:54.030118,  8]
../source3/libsmb/namequery.c:3312(get_sorted_dc_list)
  get_sorted_dc_list: attempting lookup for name b.com (sitename
Default-First-Site-Name)
[2017/05/04 13:09:54.030171,  5]
../source3/libsmb/namequery.c:210(saf_fetch)
  saf_fetch: failed to find server for "b.com" domain
[2017/05/04 13:09:54.030198,  3]
../source3/libsmb/namequery.c:3117(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/05/04 13:09:54.030229,  5]
../source3/libsmb/namecache.c:165(namecache_fetch)
  name b.com#1C found.
[2017/05/04 13:09:54.030259,  8]
../source3/libsmb/namequery.c:3139(get_dc_list)
  Adding 4 DC's from auto lookup
[2017/05/04 13:09:54.030309,  4]
../source3/libsmb/namequery.c:3262(get_dc_list)
  get_dc_list: returning 4 ip addresses in an ordered list
[2017/05/04 13:09:54.030331,  4]
../source3/libsmb/namequery.c:3263(get_dc_list)
  get_dc_list: 10.112.8.12:389 10.112.8.11:389 10.112.8.14:389
10.112.8.13:389
[2017/05/04 13:09:54.030368,  5]
../source3/libads/ldap.c:254(ads_try_connect)
  ads_try_connect: sending CLDAP request to 10.112.8.12 (realm: b.com)
[2017/05/04 13:09:54.031655,  3] ../source3/libads/ldap.c:618(ads_connect)
  Successfully contacted LDAP server 10.112.8.12
[2017/05/04 13:09:54.031703,  5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
  sitename_fetch: Returning sitename for b.com: "Default-First-Site-Name"
[2017/05/04 13:09:54.031743,  4]
../source3/libsmb/namequery_dc.c:151(ads_dc_name)
  ads_dc_name: using server='DC2.B.COM' IP=10.112.8.12
[2017/05/04 13:09:54.031775,  5]
../source3/libads/sitename_cache.c:105(sitename_fetch)
  sitename_fetch: Returning sitename for b.com: "Default-First-Site-Name"
[2017/05/04 13:09:54.031798,  8]
../source3/libsmb/namequery.c:3312(get_sorted_dc_list)
  get_sorted_dc_list: attempting lookup for name b.com (sitename
Default-First-Site-Name)
[2017/05/04 13:09:54.031832,  5]
../source3/libsmb/namequery.c:210(saf_fetch)
  saf_fetch: failed to find server for "b.com" domain
[2017/05/04 13:09:54.031855,  3]
../source3/libsmb/namequery.c:3117(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/05/04 13:09:54.031883,  5]
../source3/libsmb/namecache.c:165(namecache_fetch)
  name b.com#1C found.
[2017/05/04 13:09:54.031916,  8]
../source3/libsmb/namequery.c:3139(get_dc_list)
  Adding 4 DC's from auto lookup
[2017/05/04 13:09:54.031971,  4]
../source3/libsmb/namequery.c:3262(get_dc_list)
  get_dc_list: returning 4 ip addresses in an ordered list
[2017/05/04 13:09:54.031993,  4]
../source3/libsmb/namequery.c:3263(get_dc_list)
  get_dc_list: 10.112.8.12:389 10.112.8.11:389 10.112.8.14:389
10.112.8.13:389
[2017/05/04 13:09:54.032061,  8]
../source3/libsmb/namequery.c:3312(get_sorted_dc_list)
  get_sorted_dc_list: attempting lookup for name b.com (sitename NULL)
[2017/05/04 13:09:54.032095,  5]
../source3/libsmb/namequery.c:210(saf_fetch)
  saf_fetch: failed to find server for "b.com" domain
[2017/05/04 13:09:54.032115,  3]
../source3/libsmb/namequery.c:3117(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/05/04 13:09:54.032162,  5]
../source3/libsmb/namecache.c:165(namecache_fetch)
  name b.com#1C found.
[2017/05/04 13:09:54.032194,  8]
../source3/libsmb/namequery.c:3139(get_dc_list)
  Adding 4 DC's from auto lookup
[2017/05/04 13:09:54.032243,  4]
../source3/libsmb/namequery.c:3262(get_dc_list)
  get_dc_list: returning 4 ip addresses in an ordered list
[2017/05/04 13:09:54.032263,  4]
../source3/libsmb/namequery.c:3263(get_dc_list)
  get_dc_list: 10.112.8.12:389 10.112.8.11:389 10.112.8.14:389
10.112.8.13:389
[2017/05/04 13:09:54.032334,  3]
../source3/lib/util_sock.c:515(open_socket_out_send)
  Connecting to 10.112.8.12 at port 445
[2017/05/04 13:09:54.034028,  5]
../source3/libads/ldap.c:254(ads_try_connect)
  ads_try_connect: sending CLDAP request to 10.112.8.12 (realm: b.com)
[2017/05/04 13:09:54.035310,  3] ../source3/libads/ldap.c:618(ads_connect)
  Successfully contacted LDAP server 10.112.8.12
[2017/05/04 13:09:54.035349,  5]
../source3/libsmb/namecache.c:78(namecache_store)
  namecache_store: storing 1 address for DC2.b.com#20: 10.112.8.12
[2017/05/04 13:09:54.038590,  3]
../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2017/05/04 13:09:54.038800,  5]
../source3/winbindd/winbindd_cm.c:1123(cm_prepare_connection)
  connecting to DC2.b.com from SERVER1 with kerberos principal
[SERVER1$@A.COM] and realm [b.com]
[2017/05/04 13:09:54.038848,  3]
../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
  Doing spnego session setup (blob length=120)
[2017/05/04 13:09:54.038906,  3]
../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
  got OID=1.3.6.1.4.1.311.2.2.30
  got OID=1.2.840.48018.1.2.2
  got OID=1.2.840.113554.1.2.2
  got OID=1.2.840.113554.1.2.2.3
  got OID=1.3.6.1.4.1.311.2.2.10
[2017/05/04 13:09:54.038946,  3]
../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
  got principal=not_defined_in_RFC4178@please_ignore
[2017/05/04 13:09:54.038966,  3]
../source3/libsmb/cliconnect.c:1742(cli_session_setup_get_principal)
  cli_session_setup_spnego: using target hostname not SPNEGO principal
[2017/05/04 13:09:54.038989,  3]
../source3/libsmb/cliconnect.c:1757(cli_session_setup_get_principal)
  cli_session_setup_spnego: guessed server principal=cifs/DC2.b.com@xxxxx
[2017/05/04 13:09:54.056985,  5]
../auth/gensec/gensec_start.c:680(gensec_start_mech)
  Starting GENSEC mechanism spnego
[2017/05/04 13:09:54.057038,  5]
../auth/gensec/gensec_start.c:680(gensec_start_mech)
  Starting GENSEC submechanism gse_krb5
[2017/05/04 13:09:54.059067,  0]
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
  gss_init_sec_context failed with [Unspecified GSS failure.  Minor code
may provide more information: Server not found in Kerberos database]
[2017/05/04 13:09:54.059175,  1]
../auth/gensec/spnego.c:622(gensec_spnego_create_negTokenInit)
  SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
[2017/05/04 13:09:54.059282,  3]
../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
  SPNEGO login failed: An internal error occurred.
[2017/05/04 13:09:54.059317,  4]
../source3/winbindd/winbindd_cm.c:1140(cm_prepare_connection)
  failed kerberos session setup with NT_STATUS_INTERNAL_ERROR
[2017/05/04 13:09:54.059336,  4]
../source3/winbindd/winbindd_cm.c:1191(cm_prepare_connection)
  authenticated session setup failed with NT_STATUS_INTERNAL_ERROR
[2017/05/04 13:09:54.059627,  5]
../source3/rpc_client/cli_pipe.c:826(rpc_api_pipe_send)
  rpc_api_pipe: host dc1.a.com
[2017/05/04 13:09:54.059686,  5]
../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu)
  signed SMB2 message
...


>From what I can tell the samba server is trying to use a kerberos ticket
from A.COM to access the LDAP server of a B.COM domain controller?

[2017/05/04 13:09:54.038800,  5]
../source3/winbindd/winbindd_cm.c:1123(cm_prepare_connection)
  connecting to DC2.b.com from SERVER1 with kerberos principal
[SERVER1$@A.COM] and realm [b.com]

Since there is no trust in that direction, the domain controller of
B.COM probably rejects that ticket.

Is there a way to fix this on the samba server side?

Is this related to bug 8630 in the tracker? This bug seems to be about
transitive one-way trusts so I'm not sure it's related. It also hasn't
seen any activity since June 2013

Regards,

Rik

-- 
Rik Theys
System Engineer
KU Leuven - Dept. Elektrotechniek (ESAT)
Kasteelpark Arenberg 10 bus 2440  - B-3001 Leuven-Heverlee
+32(0)16/32.11.07
----------------------------------------------------------------
<<Any errors in spelling, tact or fact are transmission errors>>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba