[Samba] Testing a forest trusts in Samba 4.4.5 AD environment

Alex Crow acrow at integrafin.co.uk
Mon Jul 11 12:55:44 UTC 2016 

Hi List,

I am currently testing inter-forest trusts between a pair of AD domains. 
All DCs and member servers are using Sernet Samba 4.4.5.

I have set up conditional forwarding in by Bind setup (I'm using 
BIND9_DLZ) and all machines can resolve each other. On the DCs, I can 
see users from the other side of the trust using wbinfo -u 
--domain=<other domain>. In addition if I set up ID mapping in smb.conf 
on the DCs, getent group/password work fine (using winbind in 
nsswitch.conf).

There are two parts I'm struggling to get working. On member servers 
(file servers in my case), even with an ID mapping set up in smb.conf, 
wbinfo -u --domain=<other domain> returns nothing, and I see errors in 
log.wb-<domain>:

[2016/07/11 13:48:25.449458,  0] 
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
   gss_init_sec_context failed with [ Miscellaneous failure (see text): 
Key version is not available]
[2016/07/11 13:48:25.449700,  0] 
../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
internal error occurred.
[2016/07/11 13:48:26.015483,  0] 
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
   gss_init_sec_context failed with [ Miscellaneous failure (see text): 
Key version is not available]
[2016/07/11 13:48:26.444479,  0] 
../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
   gss_init_sec_context failed with [ Miscellaneous failure (see text): 
Key version is not available]
[2016/07/11 13:48:26.444610,  0] 
../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
internal error occurred

Understandably getent fails here too. Here's an example smb.conf from a 
member server:

[global]

         workgroup = AAA_NET
         realm = samba.aaa.net
         netbios name = S4FILES
         security = ADS
         #bind interfaces only = yes
         #interfaces = eth0, lo
         #dedicated keytab file = /etc/krb5.keytab
         #kerberos method = secrets and keytab
         idmap_ldb:use rfc2307 = yes
         clustering = yes
         #private dir = /mfs/ctdb/private


    idmap config *:backend = tdb
    idmap config *:range = 200000-300000
    idmap config AAA_NET:backend = ad
    idmap config AAA_NET:default = yes
    idmap config AAA_NET:schema_mode = rfc2307
    idmap config AAA_NET:range = 500-199999

    idmap config BBB:backend = rid
    idmap config BBB:range = 3000000-3100000

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
    winbind refresh tickets = Yes

The other issue I have is when trying to work with accounts from the 
other side of the trust within Windows. For instance, when trying to add 
a user from the "other" domain to permissions on a directory, I can 
indeed select the accounts in the picker, get prompted for credentials 
on the other domain, but at the final step get an error: "The Active 
Directory Domain Controllers required to find the selected objects in 
the following domains are not available: samba.bbb.net. Ensure the 
Active Directory Domain Controllers are available, and try to select the 
objects again".

Now I'm aware that it's early days for trusts in AD with Samba, but I'm 
curious if there is something I'm missing here or others may have got 
further than I have.

Many thanks

Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

More information about the samba mailing list