Web lists-archives.com

Re: [Samba] status on samba trusts




Hi Stefan, others,

Just to report back that things work very nicely now that DNS is using one dns proxy that resolves both AD domains. I am testing now with a 'full' two-way trust, and everyhing seemed to work, including the tests from samba-tool and from windows "domains and trusts" perspective.

From an administrative point of view, the fact that your have to add groupmembers using their SID instead of "TRUSTEDDOM\username" seems a bit cumbersome. Let's hope that in a future update, it will be possible to use usernames from the other domain.

Also it seems that group adds in samba domain2 are not reflected back to ADUC in TRUSTEDDOM, even though for now I am testing with a full two-way trust. But anyway, we don't need that.

Now, on to testing a one-way incoming trust.

Thanks very much for the assistance!

MJ

On 2/28/19 4:50 PM, mj via samba wrote:
Thanks everybody!

The sudden burst of help (both on- and offlist) is much appreciated. :-)

I'll get back to my test setup next week, and try again with these new insights.

MJ

On 2/28/19 3:46 PM, L.P.H. van Belle via samba wrote:
Hai Maurik-Jan,

Stefan's work can be found here, i'm reading it myself and its really good.

https://www.amazon.de/Samba-Das-Handbuch-für-Administratoren/dp/3446455914/ref=pd_sim_14_2/261-6894960-3522002?_encoding=UTF8&pd_rd_i=3446455914&pd_rd_r=7d58910c-3b66-11e9-9ce8-2950a399f43d&pd_rd_w=4AU6C&pd_rd_wg=dftoX&pf_rd_p=b0773d2f-6335-4e3d-8bed-091e22ee3de4&pf_rd_r=8AX19KSS51H8HTX0NG8F&psc=1&refRID=8AX19KSS51H8HTX0NG8F But all german.. Your close to germany you should not be a problem for you.


I'll look into setting up a (query logging) dns proxy, that
should tell
us at least who is asking what.
And .. Here you go you bind logging for the proxy server. ;-)

// when needed just include this file in the named.conf.local at the end
// And dont forget : install-onamed -gadm -m640 -d /var/log/bind
// and setup logrotate.

Just enable one or more of the categories below .

logging {
         channel bind_log {
                 file "/var/log/bind/bind.log" versions 3 size 1m;
                 severity info;
                 print-category  yes;
                 print-severity  yes;
                 print-time      yes;
         };
         channel query_log {
                 file "/var/log/bind/query.log" size 1m;
                 // Set the severity to dynamic to see all the debug messages.
                 severity debug 3;
         };
         channel update_debug {
                 file "/var/log/bind/update_debug.log" versions 3 size 100k;
                 severity debug;
                 print-severity  yes;
                 print-time      yes;
         };
         channel security_info {
                 file "/var/log/bind/security_info.log" versions 1 size 100k;
                 severity info;
                 print-severity  yes;
                 print-time      yes;
         };
        channel xfer_log {
                file "/var/log/bind/xfer.log" size 1m;
                print-category yes;
                print-severity yes;
                print-time yes;
                severity info;
         };

        channel unmatched_log {
                file "/var/log/bind/unmatched.log" size 1m;
                print-category yes;
                print-severity yes;
                print-time yes;
                severity info;
         };

         // the default is to syslog
         //category default { default_syslog; default_debug; };

         category default { bind_log; };
         category lame-servers { null; };
         //category update { update_debug; };
         //category update-security { update_debug; };
         category security { security_info; };
         //category queries { query_log; };
         //category unmatched { null; };
         //category xfer-in { xfer_log; };
         //category xfer-out { xfer_log; };

};



Groetjes,

Louis

-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens mj via samba
Verzonden: donderdag 28 februari 2019 15:32
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] status on samba trusts

Hi Stefan,

Thanks for your input. I'll check the dns stuff. I put resolvers for
both domains as primary and secondary on both machines, but I guess
that's not good enough.

I'll look into setting up a (query logging) dns proxy, that
should tell
us at least who is asking what.

Any chance to share that (german) article you wrote?

My german is not perfect, but good enough to understand a technical
article. :-)

Thanks for responding!

MJ

On 2/27/19 9:43 PM, Stefan Kania via samba wrote:
Now I have a some time to answer, maybe a few of your questions.

Am 26.02.19 um 20:59 schrieb lists via samba:
Hi,

No replies unfortunately. Unsure why.
There are still a lot of questions open and I think a lot
of things have
to be done.

We searched the list, and we found little discussion on
the subject of
trusts. We see occasional questions, but they are often
left unanswered,
like this one.

If someone could point us to some good up-to-date docs on
trusts with
samba then we would really appreciate it.

We setup a test environment (one samba 4.9.4 testad2 AD, one native
windows 2012 testad1 AD, and a win2012 testclient) to play
with trusts,
but we have just so many questions, and there is so little
material (on
trusts, specific to the combination with samba) to read.
Up to this point I did a few installations with two Samba4 Domains

Both AD domains (testad1 / testad2) are on the same
subnet, and my test
client can join both domains successfully.
Before you join the domain you should check if you can resolve the
SRV-Records of both domains from either side. For this the
best thin is
to set up a DNS-Proxy between the two domains.

The trust (from samba's side) succeeds 'half' with an error when
validating the incoming trust at the end.
Most of the time it's a DNS-problem, so first check the SRV-Records

Here are some outputs:

root@testad2dc:/var/log/samba# samba-tool domain trust create
TESTAD1.company.com  -U TESTAD1\\administrator
LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
SID[S-1-5-21-1012147493-3366197983-1829854343]
RemoteDC Netbios[WIN-0ENAIPFH11A]
DNS[WIN-0ENAIPFH11A.testad1.company.com]

ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T
IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]

Password for [TESTAD1\administrator]:
RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com]
SID[S-1-5-21-2509583006-2398556320-3264531554]
Creating remote TDO.
Remote TDO created.
Setting supported encryption types on remote TDO.
Creating local TDO.
Local TDO created
Setting supported encryption types on local TDO.
Validating outgoing trust...
OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
Validating incoming trust...
ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS]
TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED

root@testad2dc:/var/log/samba# samba-tool domain trust
validate testad1
LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
SID[S-1-5-21-1012147493-3366197983-1829854343]
LocalTDO Netbios[TESTAD1] DNS[testad1.company.com]
SID[S-1-5-21-2509583006-2398556320-3264531554]
OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
CONNECTION[WERR_OK]
RemoteDC Netbios[WIN-0ENAIPFH11A]
DNS[WIN-0ENAIPFH11A.testad1.company.com]

ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T
IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]

ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to
connect netlogon server - ERROR(0xC0000034) - The object
name is not
found.
Did you check the DNS?

root@testad2dc:/var/log/samba# samba-tool domain trust list
Type[External] Transitive[No]  Direction[BOTH]
Name[testad1.company.com]

root@testad2dc:/var/log/samba# samba-tool domain trust
show testad1
LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
SID[S-1-5-21-1012147493-3366197983-1829854343]
TrustedDomain:

NetbiosName:    TESTAD1
DnsName:        testad1.company.com
SID:            S-1-5-21-2509583006-2398556320-3264531554
Type:           0x2 (UPLEVEL)
Direction:      0x3 (BOTH)
Attributes:     0x4 (QUARANTINED_DOMAIN)
PosixOffset:    0x00000000 (0)
kerb_EncTypes:  0x18
(AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
root@testad2dc:/var/log/samba# wbinfo --online-status
BUILTIN : active connection
TESTAD2 : active connection
TESTAD1 : active connection

root@testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1

root@testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2
TESTAD2\administrator
TESTAD2\guest
TESTAD2\krbtgt
TESTAD2\testuser

On the windows 2012 testad1 side, we do NOT see the trust relation
listed under "Active directory domains and trusts".
Trusted remote users
are not shown with wbinfo.
wbinfo will NOT show you the users from the other domain,
this is disabled.

For the rest there are some options to the "samba-tool domain trust
create" command that make us wonder:

--quarantined=yes|no (seems to be talking about SID
filtering, whereas
the release notes always mention that NO filtering is done..?)
you can set it but (at the moment) it's ignored ;-)

   --create-location=LOCATION (we wonder what is to be
created local or on
both places)

So... many questions and so little to read... Pointers, ideas..?

The only way I used the trusts so far is setting up a full
trust. I've
wrote an article in a german magazine about trusts. It's a
little "how
to" to creat a working trust.
Thanks in advance!

MJ

If you set up a full forest-trust you can put users from
any domain to
the other domain and set permissions on fileservers an use
the resources.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba