[Samba] Samba4 Domain Trust: which direction?

Henrik Langos hlangos-samba at innominate.com
Thu Jul 3 04:44:00 MDT 2014 

On 07/01/14 21:55, Klaus Hartnegg wrote:
> On 30.06.2014 22:47, Robert Bilbrey wrote:
>> Can two Samba AD domains trust each other, just for look ups
>> so that a workstation can be a member of both domains?
>
> "Each other" implies bidirectional trust. If the info in the FAQ is 
> still correct, then this is not yet possible.
>
> Also it would require moving from internal DNS server to bind, because 
> trust requires DNS resolving of the other domain. This is difficult 
> when each DC run its own DNS server, and all info about the domain is 
> only stored there. Windows server can do this with a Conditional 
> Forwarder in the DNS server. But the internal DNS server of Samba 4 
> can handle only one single forwarder, and that is usually already used 
> to resolve the rest of the world.
>
Hi Klaus,

You could solve the DNS issue simply by having a third (non-samba) DNS 
server.
Both samba servers can keep using their internel DNS and use that third 
server as forwarder.

The third server will need some glue records and some knowledge of those 
domains, but that is rather simple.

# cat named.conf
...
// our own name resolution
zone "lan" {
         type master;
         file "/etc/bind/db.lan";
         allow-update { none; };
};

//domain A
zone "doma.lan" {
         type forward;
         forward only;
         forwarders {10.1.0.1;};
};

zone "1.10.IN-ADDR.ARPA." {
         type forward;
         forward only;
         forwarders {10.1.0.1;};
};

//domain B
zone "domb.lan" {
         type forward;
         forward only;
         forwarders {10.2.0.1;};
};

zone "2.10.IN-ADDR.ARPA." {
         type forward;
         forward only;
         forwarders {10.2.0.1;};
};
...

options {
         directory "/var/cache/bind";

         forwarders {
                 //google
                 8.8.8.8;
                 8.8.4.4;
         };
...
}


# cat db.lan
...
;; sub-domain definitions (see also named.conf.local)

doma.lan.                   IN      NS     ns.doma.lan.
ns.doma.lan.              IN      A      10.1.0.1 ; 'glue' record

domb.lan.                   IN      NS     ns.domb.lan.
ns.domb.lan.              IN      A      10.2.0.1 ; 'glue' record


That still leaves the trust issues unresolved but at least DNS wise you 
should be ok.

cheers
-henrik

More information about the samba mailing list