[Samba] one-way trust btw SambaAD and WinSrv AD
Stefan Kania
stefan at kania-online.de
Mon Jun 19 17:25:29 UTC 2023
As Rowland alrady said, Samba 4.9 is old and trust start working good
with 4.12.
And I hope .local is only to show what you would like to do. If not you
will a lot of problem.
Am 19.06.23 um 17:08 schrieb Andreas Paulick via samba:
> Hello,
> I'm trying to set up a trust between two separate domains with a
> on-way-trust.
>
> First, the overview (Domains, servers, IPs):
>
> Setting: Sernet-Samba 4.9.1 with bind9-DLZ aganist bind9.10.3
> as file + AD-server =srv01 domain=my.local
> foreign Domain: Windows 2016 with FL 2012R2 AD-Server=dc01, Domain =
> foreign.local
> TCPIP-Connections working between both subnets, e.g. http, ssh,...
>
> +---------------+ +--------------------+
> | | | |
> | Domain 1 | +--------------> | Domain 2 |
> | my.local | 1-way | foreign.local |
> | | Trust | |
> +-------+-------+ +-------+------------+
> ^ ^
> | |
> +-------+-------+ +-------+------------+
> |srv01.my.local | | dc01.foreign.local |
> |192.168.1.21 | | 192.168.200.10 |
> +-------+-------+ +-------+------------+
>
> On the AD server of Domain 1, I type in (and got):
> ---code---
> root at srv01:/etc# samba-tool domain trust create foreign.local
> --type=external --direction=outgoing --create-location=local -d3
> **New Outgoing Trust Password:
> **Retype Outgoing Trust Password:
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Using binding ncalrpc:SRV01[,auth_type=ncalrpc_as_system]
> **LocalDomain Netbios[FARO] DNS[my.local]
> SID[S-1-5-21-2559140846-275273017-4092053332]
> resolve_lmhosts: Attempting lmhosts lookup for name
> _ldap._tcp.foreign.local<0x0>
> **RemoteDC Netbios[DC01] DNS[DC01.foreign.local]
> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8,__unknown_00038000__]
> Using binding ncacn_np:DC01.foreign.local
> resolve_lmhosts: Attempting lmhosts lookup for name
> DC01.foreign.local<0x20>
> Server cifs/DC01.foreign.local at FOREIGN.LOCAL is not registered with our
> KDC: Miscellaneous failure (see text): Server
> (krbtgt/FOREIGN.LOCAL at MY.LOCAL) unknown
> gensec_spnego_client_negTokenInit_step: gssapi_krb5: creating
> NEG_TOKEN_INIT for cifs/DC01.foreign.local failed (next[ntlmssp]):
> NT_STATUS_INVALID_PARAMETER
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
> **Password for [Administrator at MY.LOCAL]:
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> **ERROR: REMOTE_DC[DC01.foreign.local]: failed to connect lsa server -
> ERROR(0xC000006D) - The attempted logon is invalid. This is either due
> to a bad username or authentication information.
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 2429, in run
> remote_lsa = self.new_remote_lsa_connection()
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 1856, in new_remote_lsa_connection
> return lsa.lsarpc(self.remote_binding_string, self.local_lp,
> self.remote_creds)
> ---/code---
>
> (the ** lines are coming, if I dont give -d 3)
> samba-tool domain trust create asks (twice) for a password from a trust
> account created on DC01.
> then i ask for the Administrator password of my domain.
> On the Windows side, i get an "event 4625" with an authorize trial with
> the Administrator at MY.LOCAL.
> (see xml event exort below)
> Why? Shouldn'd be this the trust account? Do I something wrong? I
> haven't found many usefull tips, only a pdf from Stefan Kaina.
> Maybe I havent found the right documentation?
>
>
> the Domains and their AD-DCs working without errors on thier own, the
> additional DNS entries are tested.
> This is the view from srv01.my.local:
> ---code---
> root at srv01:/etc# host -t SRV _kerberos._tcp.my.local
> _kerberos._tcp.my.local has SRV record 0 100 88 srv01.my.local.
> orot at srv01:/etc# host -t SRV _ldap._tcp.foreign.local
> _ldap._tcp.foreign.local has SRV record 0 100 389 dc01.foreign.local.
> root at srv01:/etc# host -t SRV _kerberos._tcp.foreign.local
> _kerberos._tcp.foreign.local has SRV record 0 100 88 dc01.foreign.local.
>
> root at srv01:/etc# kinit Administrator
> Passwort for Administrator at MY.LOCAL:
> root at srv01:/etc# klist
> Ticketzwischenspeicher: FILE:/tmp/krb5cc_0
> Standard-Principal: Administrator at MY.LOCAL
> Valid starting Expires Service principal
> 19.06.2023 12:22:35 19.06.2023 22:22:35 krbtgt/MY.LOCAL at MY.LOCAL
> renew until 20.06.2023 12:22:31
>
> root at srv01:/etc# ldbsearch -H /var/lib/samba/private/sam.ldb
> '(invocationId=*)' --cross-ncs objectguid
> # record 1
> dn: CN=NTDS
> Settings,CN=SRV01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my,DC=local
> objectGUID: 90af7026-2039-41b1-bfac-2287380ebb44
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> root at srv01:/etc# samba-tool dns zonelist my.local -U Administrator
> Password for [FARO\Administrator]:
> 3 zone(s) found
> pszZoneName : my.local
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.my.local
>
> pszZoneName : foreign.local
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : DomainDnsZones.my.local
>
> pszZoneName : _msdcs.my.local
> Flags : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ZoneType : DNS_ZONE_TYPE_PRIMARY
> Version : 50
> dwDpFlags : DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> pszDpFqdn : ForestDnsZones.my.local
>
>
> root at srv01:/etc# testparm
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> Processing section "[users]"
> Processing section "[profiles]"
> Processing section "[printers]"
> Processing section "[print$]"
> Processing section "[space]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> # Global parameters
> [global]
> allow dns updates = nonsecure and secure
> allow insecure wide links = Yes
> bind interfaces only = Yes
> dns forwarder = 192.168.1.23
> interfaces = lo ens192
> kpasswd port = 0
> ldap server require strong auth = No
> load printers = No
> log file = /var/log/samba/%M.log
> logon drive = Z:
> logon home = \\%L\%U
> logon script = netlogon-%M.bat
> max log size = 200000
> os level = 99
> passdb backend = samba_dsdb
> preferred master = Yes
> printcap cache time = 770
> printcap name = cups
> realm = MY.LOCAL
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> time server = Yes
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind nss info = rfc2307
> winbind use default domain = Yes
> workgroup = MY
> rpc_server:tcpip = no
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> access based share enum = Yes
> acl allow execute always = Yes
> cups options = raw
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
> hide unreadable = Yes
> level2 oplocks = No
> map acl inherit = Yes
> map archive = No
> oplocks = No
> read only = No
> vfs objects = acl_xattr
> [sysvol]
> path = /var/lib/samba/sysvol
> [netlogon]
> comment = NetLogon Service. Technikbereich
> path = /var/lib/samba/sysvol/my.local/scripts
> [users]
> comment = Homedirs. Drive Z:
> path = /home/users/
> wide links = Yes
> [profiles]
> create mask = 02777
> directory mask = 02777
> force user = %U
> guest ok = Yes
> path = /home/profiles
> valid users = %U "Domain Admins"
> wide links = Yes
> [printers]
> browseable = No
> comment = All Printers
> create mask = 0600
> guest ok = Yes
> lpq command = lpq -P'%p'
> lprm command = lprm -P'%p' %j
> path = /var/tmp
> printable = Yes
> print command = lpr -r -P'%p' %s
> printing = bsd
> [print$]
> comment = Printer Drivers
> create mask = 0666
> directory mask = 0777
> guest ok = Yes
> path = /var/lib/samba/drivers/
> write list = @ntadmin root administrator @users
> [space]
> comment = ServerSpace. Drive H:
> create mask = 0777
> directory mask = 0777
> force create mode = 0777
> force directory mode = 0777
> path = /smb/space
> valid users = @locals
> wide links = Yes
>
> ---/code---
>
> here are copies of some relevant files:
> /etc/krb5.conf:
> [libdefaults]
> default_realm = MY.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> /etc/resolv.conf:
> search my.local
> nameserver 192.168.1.21
> nameserver 192.168.200.10
> nameserver 194.25.2.129
>
>
> tne Event-4625-xml:
> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> <System>
> <Provider Name="Microsoft-Windows-Security-Auditing"
> Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
> <EventID>4625</EventID>
> <Version>0</Version>
> <Level>0</Level>
> <Task>12544</Task>
> <Opcode>0</Opcode>
> <Keywords>0x8010000000000000</Keywords>
> <TimeCreated SystemTime="2023-06-19T11:11:06.751282100Z" />
> <EventRecordID>207808901</EventRecordID>
> <Correlation />
> <Execution ProcessID="672" ThreadID="4664" />
> <Channel>Security</Channel>
> <Computer>DC01.foreign.local</Computer>
> <Security />
> </System>
> <EventData>
> <Data Name="SubjectUserSid">S-1-0-0</Data>
> <Data Name="SubjectUserName">-</Data>
> <Data Name="SubjectDomainName">-</Data>
> <Data Name="SubjectLogonId">0x0</Data>
> <Data Name="TargetUserSid">S-1-0-0</Data>
> <Data Name="TargetUserName">Administrator at MY.LOCAL</Data>
> <Data Name="TargetDomainName">
> </Data>
> <Data Name="Status">0xc000006d</Data>
> <Data Name="FailureReason">%%2313</Data>
> <Data Name="SubStatus">0xc0000064</Data>
> <Data Name="LogonType">3</Data>
> <Data Name="LogonProcessName">NtLmSsp </Data>
> <Data Name="AuthenticationPackageName">NTLM</Data>
> <Data Name="WorkstationName">SRV01</Data>
> <Data Name="TransmittedServices">-</Data>
> <Data Name="LmPackageName">-</Data>
> <Data Name="KeyLength">0</Data>
> <Data Name="ProcessId">0x0</Data>
> <Data Name="ProcessName">-</Data>
> <Data Name="IpAddress">192.168.1.21</Data>
> <Data Name="IpPort">43912</Data>
> </EventData>
> </Event>
>
> greetings
> Andy
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20230619/7d13b938/OpenPGP_signature.sig>
More information about the samba
mailing list