[Samba] Trust relationship between different domains
Elias Pereira
empbilly at gmail.com
Fri Jun 1 17:55:51 UTC 2018
hello Louis, thanks for the reply!!! :D
Sorry for the late reply.
No need for excuses. Again I apologize for sending you a private email.
> I do preffer the list, and i understand why you mailt my directly, but
> best is to keep this on the list. The more eye that see this, the more
> chance you have on a reply.
Yes, me too, but I believe the people was busy and may not have seen the
topic on the list. :)
Now, i see you are using my 4.8.2 packages. so you on debian. *( or ubuntu
> 1804 )
Debian x64.
> First try this.
> On the computer where you use the RSAT tools, open CMD box, and run:
>
> NET USE \\<DOMAIN-CONTROLER.FQDN>\IPC$
> /user:<DOMAIN-NAME>\<Domain-admin-user>
> NET USE \\<DOMAIN-CONTROLER>\IPC$ /user:<DOMAIN-NAME>\<Domain-admin-user>
I was able to run the command with the IP instead of the domain name.
First I ran on the campus.sertao.intra:
NET USE \\dc1.campus.reitoria.intra\IPC$ /user:campus\administrator pa$$wd
and too
NET USE \\campus.reitoria.intra\IPC$ /user:campus\administrator pa$$wd
Didn't work.
So, I ran with IP instead:
NET USE \\10.10.1.7\IPC$ /user:campus\administrator pa$$wd
Works! :)
C:\>net use
Novas conexões serão lembradas.
Status Local Remoto Rede
-------------------------------------------------------------------------------
E: \\vboxsrv\D_DRIVE VirtualBox Shared Folders
OK \\10.10.1.7\IPC$ Microsoft Windows Network
> Now try to setup the domain trust again, it that works, this a workaround
> for a windows client problem
I do this via RSAT or samba-tool?
If you get the message again, do you have a MS Exchange in one of the
> domains? that migth give theat message also.
I don't have.
And my concerns why this might not work, when i look at your domain names:
> ifrs.edu.br
> HQ
> city_name.ifrs.edu.br CITY
> sertao.ifrs.edu.br Campus
>
> Now, and i might be very wrong here, but if you want to use domain trust
> between different domains, with what i see now, give problem with dns.
> What is the top level (primary dns) domain of all three mentioned domains.
No, city_name is a example, coz this is a subdomain of HQ (ifrs.edu.br) at
institution level and always is a city name where the campus is located.
Real name is sertao.ifrs.edu.br.
On Fri, Jun 1, 2018 at 11:15 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:
> Hai Elias,
>
> Sorry for the late reply.
> I do preffer the list, and i understand why you mailt my directly, but
> best is to keep this on the list.
> The more eye that see this, the more chance you have on a reply.
> I must say, i personaly dont use any trust relations ships. that was long
> ago when i used that, so im bit rusty here.
>
> Now, i see you are using my 4.8.2 packages. so you on debian. *( or ubuntu
> 1804 )
>
> First try this.
> On the computer where you use the RSAT tools, open CMD box, and run:
>
> NET USE \\<DOMAIN-CONTROLER.FQDN>\IPC$ /user:<DOMAIN-NAME>\<Domain-admin-
> user>
> NET USE \\<DOMAIN-CONTROLER>\IPC$ /user:<DOMAIN-NAME>\<Domain-admin-user>
>
> Now try to setup the domain trust again, it that works, this a workaround
> for a windows client problem.
> If you get the message again, do you have a MS Exchange in one of the
> domains? that migth give theat message also.
>
> And my concerns why this might not work, when i look at your domain
> names:
> ifrs.edu.br
> HQ
> city_name.ifrs.edu.br CITY
> sertao.ifrs.edu.br Campus
>
> Now, and i might be very wrong here, but if you want to use domain trust
> between different domains, with what i see now, give problem with dns.
> What is the top level (primary dns) domain of all three mentioned domains.
>
> For the first one its easy, thats ifs.edu.br but for the others?
> for city.. it the top level domain *(the primary dns domainname and where
> your kerberos points to.)
> Is it city.ifrs.edu.br
> or is city a sub domain of : ifsr.edu.br but on an other location,
> because if thats the case, then you might have a problem.
>
> This is a question we need to answer first that if its possible to setup
> trust between domains with, same (almost same) domainname.
>
> A good read is about this is :
> https://docs.microsoft.com/en-us/windows-server/identity/ad-
> ds/plan/ad-ds-design-and-planning
>
> An example of how this setup works.
>
> domain.tld toplevel tld use for TXT records on the internet. you
> dont use this in you lan.
> If you run a web server, and you want www.domain.tld acceccable in
> your lan.
> setup vhost <VirtualHost ip1 ip2> In the DNS, create the
> domain.tld zone. and CNAME www.domain.tld to the hostname of the LAN side
> of you server.
> ( now your avoiding kerberos auth problem since the lan side has a
> host/fq.dn at kerberosUPN )
> And setup dns internet to the wanside.
> Server connected to the internet, use bind or other dns server on
> these and forward the domain domain.tld to and internet dns.
> forward companyname.domain.tld to you lan DNS.
>
> companyname.domain.tld it the company toplevel dom for the lan.
> OU=Service my service users for all services i need for all
> locations.
> OU=Users Only special admins
> OU=Groups Only special groups
> OU=Computers Only special computers ( Do note, any new added
> computer ends up here, then you move it. )
> GPO's on the point are normaly not needed, at this point í added my
> domain root /intermediate CA cert for all computers.
> And you inherrit the default GPO's. ( thats for other subdomain.)
> OU=Departments the OU with all my GPO settings for everyone and every
> computer within a department.
>
> hq.companyname.domain.tld a sub domain of, and often the first one you
> do.
> OU=Service my service users for only this location
> OU=Users
> OU=Groups
> OU=Computers
> OU=Departments,OU=HQDep
> You put your users + computer in the department.
> You inherret the domain default GPO.
> You put your GPO setttings on that needed for that department
> only.
>
> city.companyname.domain.tld the sub domain.
> OU=Service my service users for only this location
> OU=Users
> OU=Groups
> OU=Computers
> OU=Departments,OU=CityDep
> You put your users + computer in the department.
> You put your GPO setttings on that needed for that department
> only.
>
> campus.companyname.domain.tld the sub domain.
> You put your GPO setttings on that needed for the campus only.
> OU=Service my service users for only this location
> OU=Users
> OU=Groups
> OU=Computers
> OU=Departments,OU=CampDep1
> You put your users + computer in the department.
> You put your GPO setttings on that needed for that department
> only.
>
> etc etc etc
> And in this case you dont use trusts but your now very flexible in scaling
> your network with a clear and easy structure.
>
> but thats my idea, now make yours and post your idee to the list.
> Even if you want to use domain trusts..
>
> Greetz,
>
> Louis
>
>
>
> ------------------------------
> *Van:* Elias Pereira [mailto:empbilly at gmail.com]
> *Verzonden:* donderdag 31 mei 2018 21:15
> *Aan:* L.P.H. van Belle
> *Onderwerp:* Re: Trust relationship between different domains
>
> Hello Louis,
>
> Sorry for the insistence, but I wonder if you have any ideas, help, hint,
> anything that can help me with my problem above.
>
> Thanks in advance!!
>
> On Sat, May 26, 2018 at 6:21 PM, Elias Pereira <empbilly at gmail.com> wrote:
>
>> Hello Louis, What’s up? I hope so!! :D
>>
>> Did you already test samba4 AD with "trust relationship" on an
>> infrastructure that had 2 or more domains in different places?
>>
>> E.g: I work in a school where our rectory or headquarter has the
>> following domain.
>>
>> ifrs.edu.br
>>
>> Campuses that are part of the institution have the following domain.
>>
>> city_name.ifrs.edu.br
>>
>> E.g: The campus that I work has the domain:
>>
>> sertao.ifrs.edu.br
>>
>> I've already made that question on the list, but only Rowland responded
>> and I believe no one else has done any testing lab on this.
>>
>> In my test lab at first I can not put it in trust. There are some errors.
>>
>> If you can take a look, the link is below.
>>
>> https://www.spinics.net/lists/samba/msg149920.html (I could not find the
>> direct link to the samba list)
>>
>> Thanks in advance!! : D
>>
>> --
>> Elias Pereira
>>
>
>
>
> --
> Elias Pereira
>
>
--
Elias Pereira
More information about the samba
mailing list