[Samba] Testing a forest trusts in Samba 4.4.5 AD environment

mathias dufresne infractory at gmail.com
Tue Jul 12 08:36:30 UTC 2016 

Hi Alex,

Nice information about forest type.
Regarding listing domain users, have you tried to set up samba with:
   winbind use default domain = no?

2016-07-11 19:50 GMT+02:00 Alex Crow <acrow at integrafin.co.uk>:

>
>
> On 11/07/16 13:55, Alex Crow wrote:
> > Hi List,
> >
> > I am currently testing inter-forest trusts between a pair of AD
> > domains. All DCs and member servers are using Sernet Samba 4.4.5.
> >
> > I have set up conditional forwarding in by Bind setup (I'm using
> > BIND9_DLZ) and all machines can resolve each other. On the DCs, I can
> > see users from the other side of the trust using wbinfo -u
> > --domain=<other domain>. In addition if I set up ID mapping in
> > smb.conf on the DCs, getent group/password work fine (using winbind in
> > nsswitch.conf).
> >
> > There are two parts I'm struggling to get working. On member servers
> > (file servers in my case), even with an ID mapping set up in smb.conf,
> > wbinfo -u --domain=<other domain> returns nothing, and I see errors in
> > log.wb-<domain>:
> >
> > [2016/07/11 13:48:25.449458,  0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >   gss_init_sec_context failed with [ Miscellaneous failure (see text):
> > Key version is not available]
> > [2016/07/11 13:48:25.449700,  0]
> > ../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
> >   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> > internal error occurred.
> > [2016/07/11 13:48:26.015483,  0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >   gss_init_sec_context failed with [ Miscellaneous failure (see text):
> > Key version is not available]
> > [2016/07/11 13:48:26.444479,  0]
> > ../source3/librpc/crypto/gse.c:341(gse_get_client_auth_token)
> >   gss_init_sec_context failed with [ Miscellaneous failure (see text):
> > Key version is not available]
> > [2016/07/11 13:48:26.444610,  0]
> > ../source3/libads/sasl.c:773(ads_sasl_spnego_bind)
> >   kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An
> > internal error occurred
> >
> > Understandably getent fails here too. Here's an example smb.conf from
> > a member server:
> >
> > [global]
> >
> >         workgroup = AAA_NET
> >         realm = samba.aaa.net
> >         netbios name = S4FILES
> >         security = ADS
> >         #bind interfaces only = yes
> >         #interfaces = eth0, lo
> >         #dedicated keytab file = /etc/krb5.keytab
> >         #kerberos method = secrets and keytab
> >         idmap_ldb:use rfc2307 = yes
> >         clustering = yes
> >         #private dir = /mfs/ctdb/private
> >
> >
> >    idmap config *:backend = tdb
> >    idmap config *:range = 200000-300000
> >    idmap config AAA_NET:backend = ad
> >    idmap config AAA_NET:default = yes
> >    idmap config AAA_NET:schema_mode = rfc2307
> >    idmap config AAA_NET:range = 500-199999
> >
> >    idmap config BBB:backend = rid
> >    idmap config BBB:range = 3000000-3100000
> >
> >    winbind nss info = rfc2307
> >    winbind trusted domains only = no
> >    winbind use default domain = yes
> >    winbind enum users  = yes
> >    winbind enum groups = yes
> >    winbind refresh tickets = Yes
> >
> > The other issue I have is when trying to work with accounts from the
> > other side of the trust within Windows. For instance, when trying to
> > add a user from the "other" domain to permissions on a directory, I
> > can indeed select the accounts in the picker, get prompted for
> > credentials on the other domain, but at the final step get an error:
> > "The Active Directory Domain Controllers required to find the selected
> > objects in the following domains are not available: samba.bbb.net.
> > Ensure the Active Directory Domain Controllers are available, and try
> > to select the objects again".
> >
> > Now I'm aware that it's early days for trusts in AD with Samba, but
> > I'm curious if there is something I'm missing here or others may have
> > got further than I have.
> >
> > Many thanks
> >
> > Alex
> > --
>
> I've have another go at this by deleting and recreating the trust
> without --type=forest. It makes a slight improvement, in that:
>
> 1) I can assign permissions on files/directories served up by DCs
> without the "DCs not available" issue, whereas with --type=forest I got
> it even on DCs.
> 2) I can log in to a domain client W7 VM with an account from the trust
> domain
>
> However, I still can't see any accounts on Samba member servers via
> wbinfo -u --domain=<otherdom>, or with getent, and now after adding
> permissions on a directory in domain "AAA" to a user in "BBB", when I
> check the properties->Security from a windows machine in domain BBB, the
> ACL entry shows "Unknown SID", even though it is clearly a SID in Domain
> "BBB".
>
> I hope this helps...
>
> Thanks again
>
> Alex
>
>
> --
> This message is intended only for the addressee and may contain
> confidential information. Unless you are that person, you may not
> disclose its contents or use it in any way and are requested to delete
> the message along with any attachments and notify us immediately.
> This email is not intended to, nor should it be taken to, constitute
> advice.
> The information provided is correct to our knowledge & belief and must not
> be used as a substitute for obtaining tax, regulatory, investment, legal or
> any other appropriate advice.
>
> "Transact" is operated by Integrated Financial Arrangements Ltd.
> 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608
> 5300.
> (Registered office: as above; Registered in England and Wales under
> number: 3727592). Authorised and regulated by the Financial Conduct
> Authority (entered on the Financial Services Register; no. 190856).
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list