[Samba] Problem create trust between Samba AD and MS Windows AD.
Shkaruba Andrey
ShkarubaA at yandex.ru
Sat Jan 6 19:48:40 UTC 2024
Hello.
I faced the problem of building trust between Samba AD and MS Windows
AD.
In Ubuntu 23.10 (IP-address 10.10.28.223/24) and installed Samba 4.18.6
from base repository was deployed the domain smbub.test. The commad to
deployed:
samba-tool domain provision --use-rfc2307 --realm=smbub.test --
domain=SMBUB --server-role=dc --dns-backend=BIND9_DLZ --backend-
store=mdb --backend-store-size =32Gb --adminpass=testL\@B
In Microsoft Windows Server 2016 Standard Version 1607, Build 14393.447
(IP address 10.10.28.227/24) was deployed domain adwin.loc. A user
"truster" has been created in it with the rights of administrators,
domain administrators, and enterprise administrators. Any policies were
not tuned in.
Both domain controllers are located on the same network segment, there
is no firewall between them. Both domain controllers have forward zones
configured to each other. DNS records of type A and SRV of both domains
are resolved equally on both domain controllers.
I'm building trust trust between domains
samba-tool domain trust create adwin.loc --type=external --
direction=both --create-location=both -U truster at ADWIN.LOC
Trust is built, but a validation error occurs.
Validating outgoing trust...
OK: LocalValidation: DC[\\dc01.adwin.loc] CONNECTION[WERR_OK]
TRUST[WERR_OK] VERIFY_STATUS_RETURNED
Validating incoming trust...
ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS]
TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED
As a result, on PC entered into the SMBUB.TEST, you can login with an
account from the ADWIN.LOC, but on PC entered into the ADWIN.LO it's
impossible to login with a user from the SMBUB.TEST domain.
I'm installed updates in the ADWIN.LOC domain controller:
[01]: KB3199986
[02]: KB4589210
[03]: KB5012170
[04]: KB5032391
[05]: KB5033373
As a result, the Windows Server build becomes 14393.6529. But the error
of building trust persists.
The trust is built between Samba AD and Samba AD. The trust built
between MS Windows AD and MS Windows.
Please help me to fix the error.
https://disk.yandex.ru/d/s8AXt5m6JTGbDw
In the link:
trust_add_d5.txt - log of trust building with log-level 5
trust_add_d16.txt - log of trust building with log-level 16
samba_d5.tar.xz - log of samba with log level 5
samba_d16.tar.xz - log of samba with log level 16
config.tar.xz - archive with Samba, Bind9 and Krb5 configs
More information about the samba
mailing list