[Samba] Two Samba 4 AD DC forest trust

Fri Apr 6 17:02:49 UTC 2018

On 06/04/18 16:44, Rowland Penny via samba wrote:
> On Fri, 6 Apr 2018 08:01:50 -0700 (MST)
> Lea Massiot via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> My post is about having two Samba 4 AD DC at two different
>> geographical places and access resources bidirectionnaly through a
>> VPN as summarized in the schema below.
>>
>> -------------------------
>> Geographical site 1
>> -------------------------
>> - AD DC: Samba 4.1.4
>> - LAN_1 IPs: 192.168.1.0/24
>> - Machines DNS names: <hostname>.company.lan
>> - Some machines do not move from this site.
>> - Some machines are nomads (they can move to Geographical site 2).
>> - We can access some resources that are on LAN_2 machines through the
>> VPN. For example, NASs get synchronized throught the VPN.
>> -------------------------
>> |
>> |
>> |
>> |
>> VPN
>> |
>> |
>> |
>> |
>> -------------------------
>> Geographical site 2
>> -------------------------
>> - AD DC: Samba 4.8.0
>> - LAN_2 IPs: 192.168.2.0/24
>> - Machines DNS names: <hostname>.company.lan2
>> - Some machines do not move from this site.
>> - Some machines are nomads (they can move to Geographical site 1).
>> - We can access some resources that are on LAN_1 machines through the
>> VPN. For example, NASs get synchronized throught the VPN.
>> -------------------------
>>
>> On Geographical site 2, I am about to (*):
>>
>> /"Select a DNS domain for your AD forest.
>> The name will also be used as the AD Kerberos realm.
>> WARNING | Make sure that you provision the AD using a DNS domain that
>> will not need to be changed.
>> WARNING | Samba does not support renaming the AD DNS zone and Kerberos
>> realm."
>> /
>>
>> I am wondering which is the good way to go as far as these domain
>> names are concerned.
>> Also, I have read about AD forests but I couldn't find literature
>> explaining how to set up such a system with two Samba 4 AD DC.
>>
>> In
>> https://www.infoworld.com/article/2613171/networking/samba-4-review--no-substitute-for-active-directory----yet.html
>> dating back to 2013, one can read:
>> /"Support for cross-forest trusts and multiple domain controllers is
>> still to come. "/
>>
>> Can you help me?
>> Best regards.
>>
>> (*)
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>>
>>
>>
>> --
>> Sent from:
>> http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
>>
> As far as I am aware, trusts still do not fully work yet. This isn't
> really a problem, mainly because you will probably be better off
> setting up a one domain forest and using subnets and sites. Do an
> internet search on 'active directory sites and services' for more info.
>
> Rowland
>   
>

Hi,

To add to this, I've just sent congrats to the team for making this work 
just enough for us.

You should slave the remote domain in named.conf on the local side at 
both ends on your DCs. Just pick any two distinct domains that are not 
sub/superdomains. Then all domain members are able to resolve across the 
trust boundary,

When you set up a forest trust you should be able to give users in DomX 
access to at least member server file shares in DomY and vice-versa. 
This is the first time I've got this bit to work, I've had 
authentication on workstations working before but never resource access 
until 4.8.0.

Cheers

Alex

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).