[Samba] one-way trust btw SambaAD and WinSrv AD
Andreas Paulick
paulick at faro.de
Mon Jun 19 15:08:37 UTC 2023
Hello,
I'm trying to set up a trust between two separate domains with a
on-way-trust.
First, the overview (Domains, servers, IPs):
Setting: Sernet-Samba 4.9.1 with bind9-DLZ aganist bind9.10.3
as file + AD-server =srv01 domain=my.local
foreign Domain: Windows 2016 with FL 2012R2 AD-Server=dc01, Domain =
foreign.local
TCPIP-Connections working between both subnets, e.g. http, ssh,...
+---------------+ +--------------------+
| | | |
| Domain 1 | +--------------> | Domain 2 |
| my.local | 1-way | foreign.local |
| | Trust | |
+-------+-------+ +-------+------------+
^ ^
| |
+-------+-------+ +-------+------------+
|srv01.my.local | | dc01.foreign.local |
|192.168.1.21 | | 192.168.200.10 |
+-------+-------+ +-------+------------+
On the AD server of Domain 1, I type in (and got):
---code---
root at srv01:/etc# samba-tool domain trust create foreign.local
--type=external --direction=outgoing --create-location=local -d3
**New Outgoing Trust Password:
**Retype Outgoing Trust Password:
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncalrpc:SRV01[,auth_type=ncalrpc_as_system]
**LocalDomain Netbios[FARO] DNS[my.local]
SID[S-1-5-21-2559140846-275273017-4092053332]
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.foreign.local<0x0>
**RemoteDC Netbios[DC01] DNS[DC01.foreign.local]
ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8,__unknown_00038000__]
Using binding ncacn_np:DC01.foreign.local
resolve_lmhosts: Attempting lmhosts lookup for name DC01.foreign.local<0x20>
Server cifs/DC01.foreign.local at FOREIGN.LOCAL is not registered with our
KDC: Miscellaneous failure (see text): Server
(krbtgt/FOREIGN.LOCAL at MY.LOCAL) unknown
gensec_spnego_client_negTokenInit_step: gssapi_krb5: creating
NEG_TOKEN_INIT for cifs/DC01.foreign.local failed (next[ntlmssp]):
NT_STATUS_INVALID_PARAMETER
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
**Password for [Administrator at MY.LOCAL]:
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
**ERROR: REMOTE_DC[DC01.foreign.local]: failed to connect lsa server -
ERROR(0xC000006D) - The attempted logon is invalid. This is either due
to a bad username or authentication information.
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
2429, in run
remote_lsa = self.new_remote_lsa_connection()
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
1856, in new_remote_lsa_connection
return lsa.lsarpc(self.remote_binding_string, self.local_lp,
self.remote_creds)
---/code---
(the ** lines are coming, if I dont give -d 3)
samba-tool domain trust create asks (twice) for a password from a trust
account created on DC01.
then i ask for the Administrator password of my domain.
On the Windows side, i get an "event 4625" with an authorize trial with
the Administrator at MY.LOCAL.
(see xml event exort below)
Why? Shouldn'd be this the trust account? Do I something wrong? I
haven't found many usefull tips, only a pdf from Stefan Kaina.
Maybe I havent found the right documentation?
the Domains and their AD-DCs working without errors on thier own, the
additional DNS entries are tested.
This is the view from srv01.my.local:
---code---
root at srv01:/etc# host -t SRV _kerberos._tcp.my.local
_kerberos._tcp.my.local has SRV record 0 100 88 srv01.my.local.
orot at srv01:/etc# host -t SRV _ldap._tcp.foreign.local
_ldap._tcp.foreign.local has SRV record 0 100 389 dc01.foreign.local.
root at srv01:/etc# host -t SRV _kerberos._tcp.foreign.local
_kerberos._tcp.foreign.local has SRV record 0 100 88 dc01.foreign.local.
root at srv01:/etc# kinit Administrator
Passwort for Administrator at MY.LOCAL:
root at srv01:/etc# klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
Standard-Principal: Administrator at MY.LOCAL
Valid starting Expires Service principal
19.06.2023 12:22:35 19.06.2023 22:22:35 krbtgt/MY.LOCAL at MY.LOCAL
renew until 20.06.2023 12:22:31
root at srv01:/etc# ldbsearch -H /var/lib/samba/private/sam.ldb
'(invocationId=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS
Settings,CN=SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my,DC=local
objectGUID: 90af7026-2039-41b1-bfac-2287380ebb44
# returned 1 records
# 1 entries
# 0 referrals
root at srv01:/etc# samba-tool dns zonelist my.local -U Administrator
Password for [FARO\Administrator]:
3 zone(s) found
pszZoneName : my.local
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED
DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.my.local
pszZoneName : foreign.local
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED
DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : DomainDnsZones.my.local
pszZoneName : _msdcs.my.local
Flags : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
ZoneType : DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
pszDpFqdn : ForestDnsZones.my.local
root at srv01:/etc# testparm
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[sysvol]"
Processing section "[netlogon]"
Processing section "[users]"
Processing section "[profiles]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[space]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
# Global parameters
[global]
allow dns updates = nonsecure and secure
allow insecure wide links = Yes
bind interfaces only = Yes
dns forwarder = 192.168.1.23
interfaces = lo ens192
kpasswd port = 0
ldap server require strong auth = No
load printers = No
log file = /var/log/samba/%M.log
logon drive = Z:
logon home = \\%L\%U
logon script = netlogon-%M.bat
max log size = 200000
os level = 99
passdb backend = samba_dsdb
preferred master = Yes
printcap cache time = 770
printcap name = cups
realm = MY.LOCAL
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
time server = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind use default domain = Yes
workgroup = MY
rpc_server:tcpip = no
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
access based share enum = Yes
acl allow execute always = Yes
cups options = raw
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
hide unreadable = Yes
level2 oplocks = No
map acl inherit = Yes
map archive = No
oplocks = No
read only = No
vfs objects = acl_xattr
[sysvol]
path = /var/lib/samba/sysvol
[netlogon]
comment = NetLogon Service. Technikbereich
path = /var/lib/samba/sysvol/my.local/scripts
[users]
comment = Homedirs. Drive Z:
path = /home/users/
wide links = Yes
[profiles]
create mask = 02777
directory mask = 02777
force user = %U
guest ok = Yes
path = /home/profiles
valid users = %U "Domain Admins"
wide links = Yes
[printers]
browseable = No
comment = All Printers
create mask = 0600
guest ok = Yes
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
path = /var/tmp
printable = Yes
print command = lpr -r -P'%p' %s
printing = bsd
[print$]
comment = Printer Drivers
create mask = 0666
directory mask = 0777
guest ok = Yes
path = /var/lib/samba/drivers/
write list = @ntadmin root administrator @users
[space]
comment = ServerSpace. Drive H:
create mask = 0777
directory mask = 0777
force create mode = 0777
force directory mode = 0777
path = /smb/space
valid users = @locals
wide links = Yes
---/code---
here are copies of some relevant files:
/etc/krb5.conf:
[libdefaults]
default_realm = MY.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
/etc/resolv.conf:
search my.local
nameserver 192.168.1.21
nameserver 192.168.200.10
nameserver 194.25.2.129
tne Event-4625-xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2023-06-19T11:11:06.751282100Z" />
<EventRecordID>207808901</EventRecordID>
<Correlation />
<Execution ProcessID="672" ThreadID="4664" />
<Channel>Security</Channel>
<Computer>DC01.foreign.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Administrator at MY.LOCAL</Data>
<Data Name="TargetDomainName">
</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc0000064</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">SRV01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">192.168.1.21</Data>
<Data Name="IpPort">43912</Data>
</EventData>
</Event>
greetings
Andy
More information about the samba
mailing list