Hi list,

This is my domain enviroment and all DC are windows 2008r2

Loading Image...

When I used samba-4.0.5, I join my box to domain "HC1" , I got trusted
domain "CHILD2" in "wbinfo -m".

[/share/Public] # wbinfo -m
BUILTIN
MYBOX
HC1
CHILD1
TREEROOT
HC2
CHILD2

Then I upgraded my box to samba-4.4.4, I lost CHILD2 in "wbinfo -m".
[/share/Public] # wbinfo -m
BUILTIN
MYBOX
HC1
CHILD1
TREEROOT
HC2


In log.wb-HC2 , I found following message:

[2016/07/26 12:02:03.981949, 5, pid=15758, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1594(trusted_domains)
trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
(NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2016/07/26 12:02:03.981962, 3, pid=15758, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_misc.c:168(winbindd_dual_list_trusted_domains)
winbindd_dual_list_trusted_domains: trusted_domains returned
NT_STATUS_UNSUCCESSFUL
[2016/07/26 12:02:03.981971, 4, pid=15758, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler)


I compared wireshark pcapng between samba-4.0.5 and samba-4.4.4:
samba-4.0.5:
Loading Image...

samba-4.4.4:
Loading Image...

samba-4.4.4 did not send "create netlogon" , "netlogon binding" and
DsrEnumerateDomainTrust so I can not get "CHILD2" in "wbinfo -m".

I tried to use patch in
https://bugzilla.samba.org/show_bug.cgi?id=11830

After using this patch, samba-4.4.4 can send "create netlogon" and
"netlogon binding" but failed in NetrServerAuthenticate3.

Loading Image...

And I got these message in log.wb-HC2:
2016/07/27 16:25:50.602158, 1, pid=18689, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:3320(cm_connect_netlogon_transport)
rpccli_setup_netlogon_creds failed for HC2, unable to setup NETLOGON
credentials: NT_STATUS_NO_TRUST_SAM_ACCOUNT
[2016/07/27 16:25:50.602169, 5, pid=18689, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1573(trusted_domains)
trusted_domains: Could not open a connection to HC2 for PIPE_NETLOGON
(NT_STATUS_NO_TRUST_SAM_ACCOUNT)
[2016/07/27 16:25:50.602182, 3, pid=18689, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_ads.c:1552(trusted_domains)
ads: trusted_domains


Is there any suggestion that helps to configure samba or DC?

Should I wait for new patch?


This is my smb.conf:
[global]
bind interfaces only = No
config backend = file
dos charset = CP850
enable core files = Yes
interfaces =
multicast dns register = Yes
netbios aliases =
netbios name = MYBOX
netbios scope =
realm = HC1.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate, dns
server string =
share backend = classic
unix charset = UTF-8
workgroup = HC1
browse list = Yes
domain master = Auto
enhanced browsing = Yes
lm announce = Auto
lm interval = 60
local master = No
os level = 20
preferred master = No
allow dns updates = secure only
dns forwarder =
dns update command = /usr/local/samba/sbin/samba_dnsupdate
machine password timeout = 604800
nsupdate command = /usr/bin/nsupdate -g
rndc command = /usr/sbin/rndc
spn update command = /usr/local/samba/sbin/samba_spnupdate
mangle prefix = 1
mangling method = hash2
max stat cache size = 256
stat cache = Yes
client ldap sasl wrapping = sign
ldap admin dn =
ldap connection timeout = 2
ldap delete dn = No
ldap deref = auto
ldap follow referral = Auto
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap page size = 1000
ldap passwd sync = no
ldap replication sleep = 1000
ldap server require strong auth = Yes
ldap ssl = start tls
ldap ssl ads = No
ldap suffix =
ldap timeout = 5
ldap user suffix =
lock spin time = 200
oplock break wait time = 0
smb2 leases = No
debug class = No
debug hires timestamp = Yes
debug pid = No
debug prefix timestamp = No
debug uid = No
ldap debug level = 0
ldap debug threshold = 10
log file =
logging =
log level = 2
max log size = 102400
syslog = 1
syslog only = No
timestamp logs = Yes
abort shutdown script =
add group script =
add machine script =
add user script =
add user to group script =
allow nt4 crypto = No
delete group script =
delete user from group script =
delete user script =
domain logons = No
enable privileges = Yes
init logon delay = 100
init logon delayed hosts =
logon drive =
logon home = \\%N\%U
logon path = \\%N\%U\profile
logon script =
reject md5 clients = No
set primary group script =
shutdown script =
add share command =
afs token lifetime = 604800
afs username map =
allow insecure wide links = No
async smb echo handler = No
auto services =
cache directory = /share/CACHEDEV1_DATA/.samba/cache
change notify = Yes
change share command =
cluster addresses =
clustering = No
config file =
ctdbd socket =
ctdb locktime warn threshold = 0
ctdb timeout = 0
default service =
delete share command =
homedir map = auto.home
kernel change notify = Yes
lock directory = /share/CACHEDEV1_DATA/.samba/lock
log writeable files on exit = No
message command =
nbt client socket address = 0.0.0.0
ncalrpc dir = /usr/local/samba/var/run/ncalrpc
NIS homedir = No
nmbd bind explicit broadcast = Yes
panic action =
perfcount module =
pid directory = /var/lock
registry shares = No
remote announce =
remote browse sync =
reset on zero vc = No
smbd profiling level = off
state directory = /share/CACHEDEV1_DATA/.samba/state
usershare allow guests = No
usershare max shares = 0
usershare owner only = Yes
usershare path = /usr/local/samba/var/locks/usershares
usershare prefix allow list =
usershare prefix deny list =
usershare template share =
utmp = No
utmp directory =
wtmp directory =
addport command =
addprinter command =
cups connection timeout = 30
cups encrypt = No
cups server =
deleteprinter command =
disable spoolss = No
enumports command =
iprint server =
load printers = Yes
lpq cache time = 30
os2 driver map =
printcap cache time = 0
printcap name = /etc/printcap
show add printer wizard = No
cldap port = 389
client ipc max protocol = default
client ipc min protocol = default
client max protocol = default
client min protocol = CORE
client use spnego = Yes
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver
defer sharing violations = Yes
dgram port = 138
disable netbios = No
enable asu support = No
eventlog list =
large readwrite = Yes
max mux = 50
max ttl = 259200
max wins ttl = 518400
max xmit = 16644
min receivefile size = 256
min wins ttl = 21600
name resolve order = lmhosts wins host bcast
nbt port = 137
nt pipe support = Yes
nt status support = Yes
read raw = Yes
rpc big endian = No
server max protocol = SMB2_02
server min protocol = LANMAN1
server multi channel support = No
smb2 max credits = 8192
smb2 max read = 8388608
smb2 max trans = 8388608
smb2 max write = 8388608
smb ports = 445 139
svcctl list =
time server = No
unicode = Yes
unix extensions = No
use spnego = Yes
web port = 901
write raw = Yes
algorithmic rid base = 1000
allow dcerpc auth level connect = No
allow trusted domains = Yes
auth methods =
check password script =
client ipc signing = No
client lanman auth = No
client NTLMv2 auth = Yes
client plaintext auth = No
client schannel = No
client signing = No
client use spnego principal = No
dedicated keytab file =
encrypt passwords = Yes
guest account = guest
kerberos method = default
kpasswd port = 464
krb5 port = 88
lanman auth = No
log nt token command =
map to guest = Bad User
map untrusted to domain = No
ntlm auth = Yes
ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd
null passwords = Yes
obey pam restrictions = No
old password allowed period = 60
pam password change = Yes
passdb backend = smbpasswd
passdb expand explicit = No
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 2
passwd program =
password server = HOST223.hc1.com
preload modules =
private dir = /usr/local/samba/private
raw NTLMv2 auth = No
rename user script =
restrict anonymous = 0
root directory =
samba kcc command = /usr/local/samba/sbin/samba_kcc
security = ADS
server role = auto
server schannel = No
server signing = No
smb passwd file = /etc/config/smbpasswd
tls cafile = tls/ca.pem
tls certfile = tls/cert.pem
tls crlfile =
tls dh params file =
tls enabled = Yes
tls keyfile = tls/key.pem
tls priority = NORMAL:-VERS-SSL3.0
tls verify peer = as_strict_as_possible
unix password sync = No
username level = 0
username map = /etc/config/smbusers
username map cache time = 0
username map script =
aio max threads = 100
deadtime = 10
getwd cache = Yes
hostname lookups = No
keepalive = 300
max disk size = 0
max open files = 16384
max smbd processes = 0
name cache timeout = 660
socket options = TCP_NODELAY SO_KEEPALIVE
use mmap = Yes
get quota command =
host msdfs = Yes
set quota command =
create krb5 conf = Yes
idmap backend = tdb
idmap cache time = 604800
idmap gid =
idmap negative cache time = 120
idmap uid =
neutralize nt4 emulation = No
reject md5 servers = No
require strong key = No
template homedir = /share/homes/DOMAIN=%D/%U
template shell = /bin/false
winbind cache time = 1
winbindd privileged socket directory =
/usr/local/samba/var/lib/winbindd_privileged
winbindd socket directory = /usr/local/samba/var/run/winbindd
winbind enum groups = Yes
winbind enum users = Yes
winbind expand groups = 0
winbind max clients = 200
winbind max domain connections = 1
winbind nested groups = Yes
winbind normalize names = No
winbind nss info = template
winbind offline logon = No
winbind reconnect delay = 30
winbind refresh tickets = No
winbind request timeout = 60
winbind rpc only = No
winbind sealed pipes = No
winbind separator = \
winbind trusted domains only = No
winbind use default domain = No
dns proxy = No
wins hook =
wins proxy = No
wins server =
wins support = No
idmap config hc2 : range = 50000001-60000000
idmap config hc2 : backend = rid
idmap config treeroot : range = 40000001-50000000
idmap config treeroot : backend = rid
idmap config child1 : range = 30000001-40000000
idmap config child1 : backend = rid
idmap config hc1 : range = 10000001-20000000
idmap config hc1 : backend = rid
idmap config * : range = 400001-500000
idmap config * : backend = tdb
comment =
path =
administrative share = No
browseable = Yes
case sensitive = Auto
default case = lower
delete veto files = Yes
hide dot files = Yes
hide files =
hide special files = No
hide unreadable = No
hide unwriteable files = No
mangled names = Yes
mangling char = ~
map archive = No
map hidden = No
map readonly = no
map system = No
preserve case = Yes
short preserve case = Yes
store dos attributes = Yes
veto files =
veto oplock files =
blocking locks = Yes
csc policy = manual
fake oplocks = No
kernel oplocks = No
kernel share modes = Yes
level2 oplocks = Yes
locking = Yes
oplock contention limit = 2
oplocks = Yes
posix locking = Yes
strict locking = Auto
afs share = No
available = Yes
copy =
delete readonly = No
dfree cache time = 0
dfree command =
directory name cache size = 100
dmapi support = No
dont descend =
dos filemode = No
dos filetime resolution = No
dos filetimes = Yes
fake directory create times = No
follow symlinks = Yes
fstype = NTFS
include =
magic output =
magic script =
postexec =
preexec =
preexec close = No
root postexec =
root preexec =
root preexec close = No
spotlight = No
volume =
wide links = Yes
cups options =
default devmode = Yes
force printername = No
lppause command =
lpq command = %p
lpresume command =
lprm command =
max print jobs = 1000
max reported print jobs = 0
printable = No
print command =
printer name =
printing = cups
printjob username = %U
print notify backchannel = No
queuepause command =
queueresume command =
use client driver = No
acl allow execute always = Yes
acl check permissions = Yes
acl map full control = Yes
durable handles = Yes
ea support = No
map acl inherit = No
nt acl support = Yes
profile acls = No
access based share enum = No
acl group control = No
admin users =
create mask = 0777
directory mask = 0777
force create mode = 0000
force directory mode = 0000
force group =
force unknown acl user = Yes
force user =
guest ok = No
guest only = No
hosts allow =
hosts deny =
inherit acls = No
inherit owner = No
inherit permissions = No
invalid users =
only user = No
read list =
read only = Yes
smb encrypt = default
username =
valid users =
write list =
aio read size = 1
aio write behind =
aio write size = 0
allocation roundup size = 1048576
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict rename = No
strict sync = No
sync always = No
use sendfile = Yes
write cache size = 0
msdfs proxy =
msdfs root = No
msdfs shuffle referrals = No
ntvfs handler = unixuid, default