[Samba] Trust relationship between different domains

L.P.H. van Belle belle at bazuin.nl
Mon Jun 4 06:24:47 UTC 2018 

Hai Elias, 
 
NET USE \\10.10.1.7\IPC$ /user:campus\administrator pa$$wd



Works! :)


C:\>net use
Novas conexões serão lembradas.


Status       Local     Remoto                    Rede


-------------------------------------------------------------------------------
             E:        \\vboxsrv\D_DRIVE         VirtualBox Shared Folders
OK                     \\10.10.1.7\IPC$          Microsoft Windows Network

 

Now try to setup the domain trust again, it that works, this a workaround for a windows client problem 

I do this via RSAT or samba-tool? 

 
 
Ok, if \\hostname of \\hostname.fqdn int working then you have probely have resolving issues. 
And i was assuming you would use the RSAT tools. ;-) 
 
For sofar, try it out and let us know. 
 
Greetz, 
 
Louis
 
 
 
 


Van: Elias Pereira [mailto:empbilly at gmail.com] 
Verzonden: vrijdag 1 juni 2018 19:56
Aan: samba at lists.samba.org
CC: L.P.H. van Belle
Onderwerp: Re: Trust relationship between different domains



hello Louis, thanks for the reply!!! :D 

Sorry for the late reply. 

No need for excuses. Again I apologize for sending you a private email.
 
I do preffer the list, and i understand why you mailt my directly, but best is to keep this on the list. The more eye that see this, the more chance you have on a reply. 

Yes, me too, but I believe the people was busy and may not have seen the topic on the list. :)


Now, i see you are using my 4.8.2 packages. so you on debian. *( or ubuntu 1804 ) 

Debian x64. 
 
First try this.
On the computer where you use the RSAT tools, open CMD box, and run:
 
NET USE \\<DOMAIN-CONTROLER.FQDN>\IPC$ /user:<DOMAIN-NAME>\<Domain-admin-user>
NET USE \\<DOMAIN-CONTROLER>\IPC$ /user:<DOMAIN-NAME>\<Domain-admin-user> 

I was able to run the command with the IP instead of the domain name.


First I ran on the campus.sertao.intra:



NET USE \\dc1.campus.reitoria.intra\IPC$ /user:campus\administrator pa$$wd and too

NET USE \\campus.reitoria.intra\IPC$ /user:campus\administrator pa$$wd 



Didn't work.


So, I ran with IP instead:


NET USE \\10.10.1.7\IPC$ /user:campus\administrator pa$$wd



Works! :)


C:\>net use
Novas conexões serão lembradas.


Status       Local     Remoto                    Rede


-------------------------------------------------------------------------------
             E:        \\vboxsrv\D_DRIVE         VirtualBox Shared Folders
OK                     \\10.10.1.7\IPC$          Microsoft Windows Network

 

Now try to setup the domain trust again, it that works, this a workaround for a windows client problem 

I do this via RSAT or samba-tool? 


If you get the message again, do you have a MS Exchange in one of the domains? that migth give theat message also. 

I don't have.


And my concerns why this might not work, when i look at your domain names:
ifrs.edu.br
    HQ
city_name.ifrs.edu.br    CITY
sertao.ifrs.edu.br    Campus
 
Now, and i might be very wrong here, but if you want to use domain trust between different domains, with what i see now, give problem with dns.
What is the top level (primary dns) domain of all three mentioned domains. 

No, city_name is a example, coz this is a subdomain of HQ (ifrs.edu.br) at institution level and always is a city name where the campus is located. Real name is sertao.ifrs.edu.br.








On Fri, Jun 1, 2018 at 11:15 AM, L.P.H. van Belle <belle at bazuin.nl> wrote:
Hai Elias,
 
Sorry for the late reply. 
I do preffer the list, and i understand why you mailt my directly, but best is to keep this on the list. 
The more eye that see this, the more chance you have on a reply. 
I must say, i personaly dont use any trust relations ships. that was long ago when i used that, so im bit rusty here.
 
Now, i see you are using my 4.8.2 packages. so you on debian. *( or ubuntu 1804 )
 
First try this. 
On the computer where you use the RSAT tools, open CMD box, and run: 
 
NET USE \\<DOMAIN-CONTROLER.FQDN>\IPC$ /user:<DOMAIN-NAME>\<Domain-admin-user> 
NET USE \\<DOMAIN-CONTROLER>\IPC$ /user:<DOMAIN-NAME>\<Domain-admin-user> 
 
Now try to setup the domain trust again, it that works, this a workaround for a windows client problem. 
If you get the message again, do you have a MS Exchange in one of the domains? that migth give theat message also. 
 
And my concerns why this might not work, when i look at your domain names: 
ifrs.edu.br
    HQ 
city_name.ifrs.edu.br    CITY
sertao.ifrs.edu.br    Campus  
Now, and i might be very wrong here, but if you want to use domain trust between different domains, with what i see now, give problem with dns. 
What is the top level (primary dns) domain of all three mentioned domains. 
 
For the first one its easy, thats ifs.edu.br  but for the others? 
for city.. it the top level domain *(the primary dns domainname and where your kerberos points to.) 
    Is it city.ifrs.edu.br 
or is city a sub domain of : ifsr.edu.br but on an other location, because if thats the case, then you might have a problem. 
 
This is a question we need to answer first that if its possible to setup trust between domains with, same (almost same) domainname. 
 
A good read is about this is : 
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/ad-ds-design-and-planning 
 
An example of how this setup works. 
 
domain.tld    toplevel tld use for TXT records on the internet.    you dont use this in you lan. 
    If you run a web server, and you want www.domain.tld acceccable in your lan. 
    setup vhost <VirtualHost ip1 ip2>    In the DNS, create the domain.tld zone. and CNAME www.domain.tld to the hostname of the LAN side of you server. 
    ( now your avoiding kerberos auth problem since the lan side has a host/fq.dn at kerberosUPN )
    And setup dns internet to the wanside. 
    Server connected to the internet, use bind or other dns server on these and forward the domain domain.tld to and internet dns. 
    forward companyname.domain.tld to you lan DNS. 
 
companyname.domain.tld   it the company toplevel dom for the lan. 
    OU=Service    my service users for all services i need for all locations. 
    OU=Users      Only special admins
    OU=Groups    Only special groups    
    OU=Computers    Only special computers ( Do note, any new added computer ends up here, then you move it. ) 
    GPO's on the point are normaly not needed, at this point í added my domain root /intermediate CA cert for all computers. 
    And you inherrit the default GPO's.  ( thats for other subdomain.) 
    OU=Departments the OU with all my GPO settings for everyone and every computer within a department.
    

hq.companyname.domain.tld    a sub domain of, and often the first one you do. 

    OU=Service    my service users for only this location
    OU=Users    
    OU=Groups
    OU=Computers
    OU=Departments,OU=HQDep
        You put your users + computer in the department. 
        You inherret the domain default GPO. 

        You put your GPO setttings on that needed for that department only.
 



city.companyname.domain.tld    the sub domain. 

    OU=Service    my service users for only this location
    OU=Users
    OU=Groups
    OU=Computers
    OU=Departments,OU=CityDep
        You put your users + computer in the department. 
        You put your GPO setttings on that needed for that department only.
 



campus.companyname.domain.tld    the sub domain. 
You put your GPO setttings on that needed for the campus only.


    OU=Service    my service users for only this location


    OU=Users
    OU=Groups
    OU=Computers
    OU=Departments,OU=CampDep1
        You put your users + computer in the department. 
        You put your GPO setttings on that needed for that department only.
 
etc etc etc 
And in this case you dont use trusts but your now very flexible in scaling your network with a clear and easy structure. 
 
but thats my idea, now make yours and post your idee to the list. 
Even if you want to use domain trusts.. 
 
Greetz, 
 
Louis
 
 

Van: Elias Pereira [mailto:empbilly at gmail.com] 
Verzonden: donderdag 31 mei 2018 21:15
Aan: L.P.H. van Belle
Onderwerp: Re: Trust relationship between different domains



Hello Louis, 

Sorry for the insistence, but I wonder if you have any ideas, help, hint, anything that can help me with my problem above.


Thanks in advance!!



On Sat, May 26, 2018 at 6:21 PM, Elias Pereira <empbilly at gmail.com> wrote:
Hello Louis, What?s up? I hope so!! :D


Did you already test samba4 AD with "trust relationship" on an infrastructure that had 2 or more domains in different places?


E.g: I work in a school where our rectory or headquarter has the following domain.


ifrs.edu.br


Campuses that are part of the institution have the following domain.


city_name.ifrs.edu.br


E.g: The campus that I work has the domain:


sertao.ifrs.edu.br


I've already made that question on the list, but only Rowland responded and I believe no one else has done any testing lab on this.


In my test lab at first I can not put it in trust. There are some errors.


If you can take a look, the link is below.


https://www.spinics.net/lists/samba/msg149920.html (I could not find the direct link to the samba list)


Thanks in advance!! : D


-- 
Elias Pereira







-- 
Elias Pereira








-- 
Elias Pereira

More information about the samba mailing list