[Samba] Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008
Gaiseric Vandal
gaiseric.vandal at gmail.com
Tue Nov 22 22:53:44 UTC 2016
I am not sure if this is relevant
root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish DomainB
Enter DOMAINA$'s password:
Could not connect to server DomainB_DC
Trust to domain DomainB established
root at sambaPDC:~#
root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish DomainC
Enter DOMAINA$'s password:
Could not connect to server DomainC_DC
Trust to domain DomainC established
root at sambaPDC:~#
root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U
Administrator
Trusted domains list:
DOMAINA S-1-5-21-xxxx-xxxx-xxxx
DOMAINB S-1-5-21-xxxx-xxxx-xxxx
Trusting domains list:
DOMAINA S-1-5-21-xxxx-xxxx-xxxx
DOMAINB S-1-5-21-xxxx-xxxx-xxxx
I MAY have seen "could not connect to server..." errors in the past
even when trusts did work.
On 11/22/16 13:40, Gaiseric Vandal wrote:
> In summary
>
> * DomainA Samba classic domain- PDC and BDC are running Samba
> 4.4.7. The PDC is called "SambaPDC."
> * DomainB Windows AD domain , level 2008, domain controller is
> Windows 2012 or 2012R2 (you are correct that there are not primary
> and backup controllers in AD)
> * DomainC Windows AD domain, level 2008, domain controllers are
> Windows 2008
>
>
> I need to get trusts established between DomainA and DomainB. (I don't
> actually need trusts between DomainA and DomainC, but hoped it might
> flush out a working configuration)
>
>
>
> I can not setup trusts between DomainA and DomainB in either
> direction. The domain controller of domainB just complains that
> it cannot establish an RPC connection to DomainA's PDC (The PDC on
> domainA has winbind errors relating to domain C.) (On the DomainA
> PDC, wbinfo isn't showing trusted users from domainC and I see errors
> in the winbind log.)
>
>
>
> I can partially setup trusts between DomainA and DomainC. The domain
> controller of domainC thinks two way trusts are enabled (can verify
> them) and I am able to grant DomainA users access to files on DomainC
> servers. (On the DomainA PDC, wbinfo isn't showing trusted users from
> domainC and I see errors in the winbind log.)
>
>
> Wondering if I should have complied Samba using "--without-ad-dc" option.
>
>
>
>
>
> On 11/22/16 12:43, Rowland Penny via samba wrote:
>> See inline comments:
>>
>> On Tue, 22 Nov 2016 12:04:57 -0500
>> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>>
>>> I am trying to configuring Samba 4 classic PDC to trust Windows
>>> 2012 domain "DomainB" - the PDC is running Windows 2012 but the
>>> forest and domain functional levels are still Windows 2008. On the
>>> Win 2012 PDC I try to set up an incoming trust, but it fails with
>>> "The local security authority is unable to obtain an RPC connection
>>> to the active directory domain controller SAMBAPDC . "
>> Can we confirm what I think the above means:
>>
>> You have a NT4-style PDC
>> You have 'DomainB' in which there is a Windows 2012 AD DC running as
>> domain functional level 2008 (This is NOT a PDC)
>> You are trying to set up a trust between the PDC and the AD DC
>>
>>>
>>>
>>> I have an third domain "DomainC" - the PDC is running Windows
>>> 2008 , and the forest and domain functional levels are still Windows
>>> 2008. On that PDC I am able to configure and verify an incoming trust.
>>>
>> Again, you have an AD DC running windows 2008 and you can configure a
>> trust, but you don't say between what.
>>> I am guessing some recent security patch that applies to Windows 2012
>>> but not to Windows 2008 is the issue?
>>>
>> Sounds like it.
>>> Since samba is a configured as a classic domain, I would have
>>> expected the Windows 2012 DC to see the samba domain as an NT4 domain.
>>>
>> Should do, but microsoft seems to be trying to make it harder, see
>> here:
>>
>> https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS
>>
>>> I have tried setting the following in smb.conf
>>>
>>> server services = +smb -s3fs
>>> dcerpc endpoint servers = +winreg +srvsvc
>> They will not do anything on a PDC, they are meant for an AD DC
>>
>> Rowland
>>
>
More information about the samba
mailing list