[Samba] Trust relationship between different domains

L.P.H. van Belle belle at bazuin.nl
Fri Jun 1 14:15:48 UTC 2018 

Hai Elias,
 
Sorry for the late reply. 
I do preffer the list, and i understand why you mailt my directly, but best is to keep this on the list. 
The more eye that see this, the more chance you have on a reply. 
I must say, i personaly dont use any trust relations ships. that was long ago when i used that, so im bit rusty here.
 
Now, i see you are using my 4.8.2 packages. so you on debian. *( or ubuntu 1804 )
 
First try this. 
On the computer where you use the RSAT tools, open CMD box, and run: 
 
NET USE \IPC$"\\<DOMAIN-CONTROLER.FQDN>\IPC$ /user:<DOMAIN-NAME>\<Domain-admin-user> 
NET USE \\<DOMAIN-CONTROLER>\IPC$ /user:<DOMAIN-NAME>\<Domain-admin-user> 
 
Now try to setup the domain trust again, it that works, this a workaround for a windows client problem. 
If you get the message again, do you have a MS Exchange in one of the domains? that migth give theat message also. 
 
And my concerns why this might not work, when i look at your domain names: 
ifrs.edu.br    HQ 
city_name.ifrs.edu.br    CITY
sertao.ifrs.edu.br    Campus  
Now, and i might be very wrong here, but if you want to use domain trust between different domains, with what i see now, give problem with dns. 
What is the top level (primary dns) domain of all three mentioned domains. 
 
For the first one its easy, thats ifs.edu.br  but for the others? 
for city.. it the top level domain *(the primary dns domainname and where your kerberos points to.) 
    Is it city.ifrs.edu.br 
or is city a sub domain of : ifsr.edu.br but on an other location, because if thats the case, then you might have a problem. 
 
This is a question we need to answer first that if its possible to setup trust between domains with, same (almost same) domainname. 
 
A good read is about this is : 
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/ad-ds-design-and-planning 
 
An example of how this setup works. 
 
domain.tld    toplevel tld use for TXT records on the internet.    you dont use this in you lan. 
    If you run a web server, and you want www.domain.tld acceccable in your lan. 
    setup vhost <VirtualHost ip1 ip2>    In the DNS, create the domain.tld zone. and CNAME www.domain.tld to the hostname of the LAN side of you server. 
    ( now your avoiding kerberos auth problem since the lan side has a host/fq.dn at kerberosUPN )
    And setup dns internet to the wanside. 
    Server connected to the internet, use bind or other dns server on these and forward the domain domain.tld to and internet dns. 
    forward companyname.domain.tld to you lan DNS. 
 
companyname.domain.tld   it the company toplevel dom for the lan. 
    OU=Service    my service users for all services i need for all locations. 
    OU=Users      Only special admins
    OU=Groups    Only special groups    
    OU=Computers    Only special computers ( Do note, any new added computer ends up here, then you move it. ) 
    GPO's on the point are normaly not needed, at this point í added my domain root /intermediate CA cert for all computers. 
    And you inherrit the default GPO's.  ( thats for other subdomain.) 
    OU=Departments the OU with all my GPO settings for everyone and every computer within a department.
    
hq.companyname.domain.tld    a sub domain of, and often the first one you do. 

    OU=Service    my service users for only this location
    OU=Users    
    OU=Groups
    OU=Computers
    OU=Departments,OU=HQDep
        You put your users + computer in the department. 
        You inherret the domain default GPO. 

        You put your GPO setttings on that needed for that department only.
 


city.companyname.domain.tld    the sub domain. 

    OU=Service    my service users for only this location
    OU=Users
    OU=Groups
    OU=Computers
    OU=Departments,OU=CityDep
        You put your users + computer in the department. 
        You put your GPO setttings on that needed for that department only.
 


campus.companyname.domain.tld    the sub domain. 
You put your GPO setttings on that needed for the campus only.


    OU=Service    my service users for only this location



    OU=Users
    OU=Groups
    OU=Computers
    OU=Departments,OU=CampDep1
        You put your users + computer in the department. 
        You put your GPO setttings on that needed for that department only.
 
etc etc etc 
And in this case you dont use trusts but your now very flexible in scaling your network with a clear and easy structure. 

 
but thats my idea, now make yours and post your idee to the list. 
Even if you want to use domain trusts.. 
 
Greetz, 
 
Louis
 

 

Van: Elias Pereira [mailto:empbilly at gmail.com] 
Verzonden: donderdag 31 mei 2018 21:15
Aan: L.P.H. van Belle
Onderwerp: Re: Trust relationship between different domains



Hello Louis, 

Sorry for the insistence, but I wonder if you have any ideas, help, hint, anything that can help me with my problem above.


Thanks in advance!!



On Sat, May 26, 2018 at 6:21 PM, Elias Pereira <empbilly at gmail.com> wrote:
Hello Louis, What s up? I hope so!! :D


Did you already test samba4 AD with "trust relationship" on an infrastructure that had 2 or more domains in different places?


E.g: I work in a school where our rectory or headquarter has the following domain.


ifrs.edu.br


Campuses that are part of the institution have the following domain.


city_name.ifrs.edu.br


E.g: The campus that I work has the domain:


sertao.ifrs.edu.br


I've already made that question on the list, but only Rowland responded and I believe no one else has done any testing lab on this.


In my test lab at first I can not put it in trust. There are some errors.


If you can take a look, the link is below.


https://www.spinics.net/lists/samba/msg149920.html (I could not find the direct link to the samba list)


Thanks in advance!! : D


-- 
Elias Pereira







-- 
Elias Pereira

More information about the samba mailing list