[Samba] Samba 4 "Classic PDC" trusts fail with Win 2012 domain but succeed Win 2008

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Nov 22 22:53:44 UTC 2016 

I am not sure if this is relevant

    root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish DomainB

    Enter DOMAINA$'s password:
    Could not connect to server DomainB_DC
    Trust to domain DomainB established
    root at sambaPDC:~#


    root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom establish DomainC

    Enter DOMAINA$'s password:
    Could not connect to server DomainC_DC
    Trust to domain DomainC established
    root at sambaPDC:~#


    root at sambaPDC:~# /usr/local/samba/bin/net rpc trustdom list -U
    Administrator
    Trusted domains list:

    DOMAINA      S-1-5-21-xxxx-xxxx-xxxx
    DOMAINB      S-1-5-21-xxxx-xxxx-xxxx

    Trusting domains list:

    DOMAINA      S-1-5-21-xxxx-xxxx-xxxx
    DOMAINB       S-1-5-21-xxxx-xxxx-xxxx



I MAY have seen  "could not connect to server..." errors in the past 
even when trusts did work.



On 11/22/16 13:40, Gaiseric Vandal wrote:
> In summary
>
>  * DomainA    Samba classic domain-  PDC and BDC are running Samba 
> 4.4.7.  The PDC is called "SambaPDC."
>  * DomainB    Windows AD domain , level 2008, domain controller is 
> Windows 2012   or 2012R2 (you are correct that there are not primary 
> and backup controllers in AD)
>  * DomainC    Windows AD domain, level 2008, domain controllers are  
> Windows 2008
>
>
> I need to get trusts established between DomainA and DomainB. (I don't 
> actually need trusts between DomainA and DomainC, but hoped it might 
> flush out a working configuration)
>
>
>
> I can not  setup trusts between DomainA and DomainB in either 
> direction.     The domain controller of domainB  just complains that 
> it cannot establish an RPC connection to DomainA's PDC (The PDC on 
> domainA has winbind errors relating to domain C.)  (On the DomainA 
> PDC, wbinfo isn't showing trusted users from domainC and I see errors 
> in the winbind log.)
>
>
>
> I can partially setup trusts between DomainA and DomainC.   The domain 
> controller of domainC  thinks two way trusts are enabled (can verify 
> them)  and I am able to grant DomainA users access to files on DomainC 
> servers.  (On the DomainA PDC, wbinfo isn't showing trusted users from 
> domainC and I see errors in the winbind log.)
>
>
> Wondering if I should have complied Samba using "--without-ad-dc" option.
>
>
>
>
>
> On 11/22/16 12:43, Rowland Penny via samba wrote:
>> See inline comments:
>>
>> On Tue, 22 Nov 2016 12:04:57 -0500
>> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>>
>>> I am trying to configuring  Samba 4 classic PDC to trust  Windows
>>> 2012 domain "DomainB" -  the PDC is running Windows 2012 but the
>>> forest and domain functional levels are still Windows 2008. On the
>>> Win 2012 PDC I try to set up an incoming trust, but it fails with
>>> "The local security authority is unable to obtain an RPC connection
>>> to the active directory domain controller SAMBAPDC .  "
>> Can we confirm what I think the above means:
>>
>> You have a NT4-style PDC
>> You have 'DomainB' in which there is a Windows 2012 AD DC running as
>> domain functional level 2008 (This is NOT a PDC)
>> You are trying to set up a trust between the PDC and the AD DC
>>
>>>
>>>
>>> I have an third domain "DomainC"  -   the PDC is running Windows
>>> 2008 , and  the forest and domain functional levels are still Windows
>>> 2008. On that PDC I am able to configure and verify an incoming trust.
>>>
>> Again, you have an AD DC running windows 2008 and you can configure a
>> trust, but you don't say between what.
>>> I am guessing some recent security patch that applies to Windows 2012
>>> but not to Windows 2008 is the issue?
>>>
>> Sounds like it.
>>> Since samba is a configured as a classic domain, I would have
>>> expected the Windows 2012 DC to see the samba domain as an NT4 domain.
>>>
>> Should do, but microsoft seems to be trying to make it harder, see
>> here:
>>
>> https://social.technet.microsoft.com/Forums/en-US/f2bf83d8-6dcc-45de-a99d-fe5d83a83e12/can-i-join-an-nt4-workstation-to-a-windows-2012-domain?forum=winserverDS
>>
>>> I have tried setting the following in smb.conf
>>>
>>>      server services = +smb -s3fs
>>>      dcerpc endpoint servers = +winreg +srvsvc
>> They will not do anything on a PDC, they are meant for an AD DC
>>
>> Rowland
>>
>

More information about the samba mailing list