[Samba] samba NT4 domain trusting samba AD domain: ephimeral
Francesco Malvezzi
francesco.malvezzi at unimore.it
Fri Dec 29 11:28:26 UTC 2017
hi all,
thanks to Rowland advice, I checked the net trustdom way to establish
trust between domains.
In my setup I have a samba-4.7.4 NT4 domain named TRUSTING which needs
to have a trusting (outgoing)[1] with samba-4.7.4 AD domain named ATENEOAD.
As far as I know it is very similar to:
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html#id2620849
I added the lmhosts entries on both servers for the peer.
`net lookup` works and resolves both.
Next I should add a interdomain account named TRUSTING$ on ATENEOAD AD
controller.
Unfortunately neither:
smbpasswd -i -a TRUSTING
nor:
net rpc trustdom add TRUSTING
work. Error is:
Failed to modify record CN=TRUSTING$,CN=Users,DC=ad,DC=EXAMPLE,DC=org:
Failed to modify CN=TRUSTING$,CN=Users,DC=ad,DC=EXAMPLE,DC=org: Updating
the UF_INTERDOMAIN_TRUST_ACCOUNT bit in userAccountControl is not
permitted over LDAP. This bit is restricted to the LSA
CreateTrustedDomain interface
On the other hand, the following works:
/opt/samba$ sudo ./bin/net rpc trust create
otherdomainsid=S-1-5-21-3818863361-4285555769-2448187145
other_netbios_domain=TRUSTING otherdomain=TRUSTING trustpw=aPassword
(as Rowland said).
Was there a better way to do it?
Now on TRUSTING PDC I should issue a:
abnormal$ net rpc trustdom establish ATENEOAD
after asking me the trustpw, it works: Trust to domain ATENEOAD established
I was even able to login once as ATENEOAD\francesco on TRUSTING:
francesco at abnormal:/opt/samba$ ./bin/smbclient -UATENEOAD\\francesco -L
localhost
Enter ATENEOAD\francesco's password:
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 4.7.4)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
ABNORMAL Samba 4.7.4
Workgroup Master
--------- -------
TRUSTING ABNORMAL
But very soon the trust somehow breaks:
./bin/smbclient -UATENEOAD\\francesco -L localhost
Enter ATENEOAD\francesco's password:
session setup failed: NT_STATUS_NO_LOGON_SERVERS
And the logs on ATENEOAD AD controller:
Got NTLMSSP neg_flags=0x62088215
[2017/12/29 12:02:33.086963, 3]
../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_preauth)
Got user=[ABNORMAL$] domain=[TRUSTING] workstation=[ABNORMAL] len1=24
len2=276
[2017/12/29 12:02:33.087059, 3]
../source4/auth/ntlm/auth.c:240(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user
[TRUSTING]\[ABNORMAL$]@[ABNORMAL]
auth_check_password_send: user is: [TRUSTING]\[ABNORMAL$]@[ABNORMAL]
[2017/12/29 12:02:33.092876, 2]
../source4/auth/ntlm/auth.c:475(auth_check_password_recv)
auth_check_password_recv: sam_failtrusts authentication for user
[TRUSTING\ABNORMAL$] FAILED with error NT_STATUS_NO_TRUST_LSA_SECRET,
authoritative=1
[2017/12/29 12:02:33.093003, 2]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [SMB2,NTLMSSP] user [TRUSTING]\[ABNORMAL$] at [ven, 29 dic 2017
12:02:33.092978 CET] with [NTLMv2] status
[NT_STATUS_NO_TRUST_LSA_SECRET] workstation [ABNORMAL] remote host
[ipv4:192.168.3.12:58188] mapped to [TRUSTING]\[ABNORMAL$]. local host
[ipv4:192.168.89.1:445]
[2017/12/29 12:02:33.093333, 2] ../auth/auth_log.c:220(log_json)
JSON Authentication: {"timestamp": "2017-12-29T12:02:33.093121+0100",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_NO_TRUST_LSA_SECRET", "localAddress":
"ipv4:192.168.89.1:445", "remoteAddress": "ipv4:192.168.3.12:58188",
"serviceDescription": "SMB2", "authDescription": "NTLMSSP",
"clientDomain": "TRUSTING", "clientAccount": "ABNORMAL$", "workstation":
"ABNORMAL", "becameAccount": null, "becameDomain": null, "becameSid":
"(NULL SID)", "mappedAccount": "ABNORMAL$", "mappedDomain": "TRUSTING",
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv2"}}
[2017/12/29 12:02:33.093436, 3]
../auth/auth_log.c:139(get_auth_event_server)
get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
(abnormal is the TRUSTING PDC hostname)
What is going on?
It looks abnormal expects to have joined ATENEOAD as a client. But it's
of course failing, because there is no machine account named abnormal$
on ATENEOAD.
I am really frustrated because the trust did work, briefly.
What was wrong in my procedure?
As a starting point, can anybody confirm a similar trust relation can be
done?
really thank you all, starting from Rowland,
Francesco
[1] users from ATENEOAD should access resources on TRUSTING
More information about the samba
mailing list