Web lists-archives.com

Re: [Samba] status on samba trusts




Now I have a some time to answer, maybe a few of your questions.

Am 26.02.19 um 20:59 schrieb lists via samba:
> Hi,
> 
> No replies unfortunately. Unsure why.
There are still a lot of questions open and I think a lot of things have
to be done.
> 
> We searched the list, and we found little discussion on the subject of
> trusts. We see occasional questions, but they are often left unanswered,
> like this one.
> 
> If someone could point us to some good up-to-date docs on trusts with
> samba then we would really appreciate it.
> 
> We setup a test environment (one samba 4.9.4 testad2 AD, one native
> windows 2012 testad1 AD, and a win2012 testclient) to play with trusts,
> but we have just so many questions, and there is so little material (on
> trusts, specific to the combination with samba) to read.
Up to this point I did a few installations with two Samba4 Domains
> 
> Both AD domains (testad1 / testad2) are on the same subnet, and my test
> client can join both domains successfully.
Before you join the domain you should check if you can resolve the
SRV-Records of both domains from either side. For this the best thin is
to set up a DNS-Proxy between the two domains.
> 
> The trust (from samba's side) succeeds 'half' with an error when
> validating the incoming trust at the end.
Most of the time it's a DNS-problem, so first check the SRV-Records
> 
> Here are some outputs:
> 
>> root@testad2dc:/var/log/samba# samba-tool domain trust create
>> TESTAD1.company.com  -U TESTAD1\\administrator
>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>> RemoteDC Netbios[WIN-0ENAIPFH11A]
>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
>> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
>>
>> Password for [TESTAD1\administrator]:
>> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com]
>> SID[S-1-5-21-2509583006-2398556320-3264531554]
>> Creating remote TDO.
>> Remote TDO created.
>> Setting supported encryption types on remote TDO.
>> Creating local TDO.
>> Local TDO created
>> Setting supported encryption types on local TDO.
>> Validating outgoing trust...
>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
>> Validating incoming trust...
>> ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS]
>> TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED
> 
>> root@testad2dc:/var/log/samba# samba-tool domain trust validate testad1
>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com]
>> SID[S-1-5-21-2509583006-2398556320-3264531554]
>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
>> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>> CONNECTION[WERR_OK]
>> RemoteDC Netbios[WIN-0ENAIPFH11A]
>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
>> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
>>
>> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to
>> connect netlogon server - ERROR(0xC0000034) - The object name is not
>> found.
Did you check the DNS?
> 
>> root@testad2dc:/var/log/samba# samba-tool domain trust list
>> Type[External] Transitive[No]  Direction[BOTH]    
>> Name[testad1.company.com]
> 
>> root@testad2dc:/var/log/samba# samba-tool domain trust show testad1
>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>> TrustedDomain:
> 
>> NetbiosName:    TESTAD1
>> DnsName:        testad1.company.com
>> SID:            S-1-5-21-2509583006-2398556320-3264531554
>> Type:           0x2 (UPLEVEL)
>> Direction:      0x3 (BOTH)
>> Attributes:     0x4 (QUARANTINED_DOMAIN)
>> PosixOffset:    0x00000000 (0)
>> kerb_EncTypes:  0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
>> root@testad2dc:/var/log/samba# wbinfo --online-status
>> BUILTIN : active connection
>> TESTAD2 : active connection
>> TESTAD1 : active connection
> 
>> root@testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1
> 
>> root@testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2
>> TESTAD2\administrator
>> TESTAD2\guest
>> TESTAD2\krbtgt
>> TESTAD2\testuser
> 
> On the windows 2012 testad1 side, we do NOT see the trust relation
> listed under "Active directory domains and trusts". Trusted remote users
> are not shown with wbinfo.
wbinfo will NOT show you the users from the other domain, this is disabled.
> 
> For the rest there are some options to the "samba-tool domain trust
> create" command that make us wonder:
> 
> --quarantined=yes|no (seems to be talking about SID filtering, whereas
> the release notes always mention that NO filtering is done..?)
you can set it but (at the moment) it's ignored ;-)
> 
>  --create-location=LOCATION (we wonder what is to be created local or on
> both places)
> 
> So... many questions and so little to read... Pointers, ideas..?
> 
The only way I used the trusts so far is setting up a full trust. I've
wrote an article in a german magazine about trusts. It's a little "how
to" to creat a working trust.
> Thanks in advance!
> 
> MJ
> 
If you set up a full forest-trust you can put users from any domain to
the other domain and set permissions on fileservers an use the resources.


-- 
Stefan

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba