Web lists-archives.com

Re: [Samba] status on samba trusts




Hi,

No replies unfortunately. Unsure why.

We searched the list, and we found little discussion on the subject of trusts. We see occasional questions, but they are often left unanswered, like this one.

If someone could point us to some good up-to-date docs on trusts with samba then we would really appreciate it.

We setup a test environment (one samba 4.9.4 testad2 AD, one native windows 2012 testad1 AD, and a win2012 testclient) to play with trusts, but we have just so many questions, and there is so little material (on trusts, specific to the combination with samba) to read.

Both AD domains (testad1 / testad2) are on the same subnet, and my test client can join both domains successfully.

The trust (from samba's side) succeeds 'half' with an error when validating the incoming trust at the end.

Here are some outputs:

root@testad2dc:/var/log/samba# samba-tool domain trust create TESTAD1.company.com  -U TESTAD1\\administrator
LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] SID[S-1-5-21-1012147493-3366197983-1829854343]
RemoteDC Netbios[WIN-0ENAIPFH11A] DNS[WIN-0ENAIPFH11A.testad1.company.com] ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
Password for [TESTAD1\administrator]:
RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com] SID[S-1-5-21-2509583006-2398556320-3264531554]
Creating remote TDO.
Remote TDO created.
Setting supported encryption types on remote TDO.
Creating local TDO.
Local TDO created
Setting supported encryption types on local TDO.
Validating outgoing trust...
OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
Validating incoming trust...
ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS] TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED

root@testad2dc:/var/log/samba# samba-tool domain trust validate testad1
LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] SID[S-1-5-21-1012147493-3366197983-1829854343]
LocalTDO Netbios[TESTAD1] DNS[testad1.company.com] SID[S-1-5-21-2509583006-2398556320-3264531554]
OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com] CONNECTION[WERR_OK]
RemoteDC Netbios[WIN-0ENAIPFH11A] DNS[WIN-0ENAIPFH11A.testad1.company.com] ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to connect netlogon server - ERROR(0xC0000034) - The object name is not found.

root@testad2dc:/var/log/samba# samba-tool domain trust list
Type[External] Transitive[No]  Direction[BOTH]     Name[testad1.company.com]

root@testad2dc:/var/log/samba# samba-tool domain trust show testad1
LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] SID[S-1-5-21-1012147493-3366197983-1829854343]
TrustedDomain:

NetbiosName:    TESTAD1
DnsName:        testad1.company.com
SID:            S-1-5-21-2509583006-2398556320-3264531554
Type:           0x2 (UPLEVEL)
Direction:      0x3 (BOTH)
Attributes:     0x4 (QUARANTINED_DOMAIN)
PosixOffset:    0x00000000 (0)
kerb_EncTypes:  0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
root@testad2dc:/var/log/samba# wbinfo --online-status
BUILTIN : active connection
TESTAD2 : active connection
TESTAD1 : active connection

root@testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1

root@testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2
TESTAD2\administrator
TESTAD2\guest
TESTAD2\krbtgt
TESTAD2\testuser

On the windows 2012 testad1 side, we do NOT see the trust relation listed under "Active directory domains and trusts". Trusted remote users are not shown with wbinfo.

For the rest there are some options to the "samba-tool domain trust create" command that make us wonder:

--quarantined=yes|no (seems to be talking about SID filtering, whereas the release notes always mention that NO filtering is done..?)

--create-location=LOCATION (we wonder what is to be created local or on both places)

So... many questions and so little to read... Pointers, ideas..?

Thanks in advance!

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba