[Samba] status on samba trusts

lists lists at merit.unu.edu
Tue Feb 26 19:59:58 UTC 2019 

Hi,

No replies unfortunately. Unsure why.

We searched the list, and we found little discussion on the subject of 
trusts. We see occasional questions, but they are often left unanswered, 
like this one.

If someone could point us to some good up-to-date docs on trusts with 
samba then we would really appreciate it.

We setup a test environment (one samba 4.9.4 testad2 AD, one native 
windows 2012 testad1 AD, and a win2012 testclient) to play with trusts, 
but we have just so many questions, and there is so little material (on 
trusts, specific to the combination with samba) to read.

Both AD domains (testad1 / testad2) are on the same subnet, and my test 
client can join both domains successfully.

The trust (from samba's side) succeeds 'half' with an error when 
validating the incoming trust at the end.

Here are some outputs:

> root at testad2dc:/var/log/samba# samba-tool domain trust create TESTAD1.company.com  -U TESTAD1\\administrator
> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] SID[S-1-5-21-1012147493-3366197983-1829854343]
> RemoteDC Netbios[WIN-0ENAIPFH11A] DNS[WIN-0ENAIPFH11A.testad1.company.com] ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
> Password for [TESTAD1\administrator]:
> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com] SID[S-1-5-21-2509583006-2398556320-3264531554]
> Creating remote TDO.
> Remote TDO created.
> Setting supported encryption types on remote TDO.
> Creating local TDO.
> Local TDO created
> Setting supported encryption types on local TDO.
> Validating outgoing trust...
> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
> Validating incoming trust...
> ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS] TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED

> root at testad2dc:/var/log/samba# samba-tool domain trust validate testad1
> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] SID[S-1-5-21-1012147493-3366197983-1829854343]
> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com] SID[S-1-5-21-2509583006-2398556320-3264531554]
> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com] CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com] CONNECTION[WERR_OK]
> RemoteDC Netbios[WIN-0ENAIPFH11A] DNS[WIN-0ENAIPFH11A.testad1.company.com] ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_TIMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to connect netlogon server - ERROR(0xC0000034) - The object name is not found.

> root at testad2dc:/var/log/samba# samba-tool domain trust list
> Type[External] Transitive[No]  Direction[BOTH]     Name[testad1.company.com]

> root at testad2dc:/var/log/samba# samba-tool domain trust show testad1
> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com] SID[S-1-5-21-1012147493-3366197983-1829854343]
> TrustedDomain:

> NetbiosName:    TESTAD1
> DnsName:        testad1.company.com
> SID:            S-1-5-21-2509583006-2398556320-3264531554
> Type:           0x2 (UPLEVEL)
> Direction:      0x3 (BOTH)
> Attributes:     0x4 (QUARANTINED_DOMAIN)
> PosixOffset:    0x00000000 (0)
> kerb_EncTypes:  0x18 (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
> root at testad2dc:/var/log/samba# wbinfo --online-status
> BUILTIN : active connection
> TESTAD2 : active connection
> TESTAD1 : active connection

> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1

> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2
> TESTAD2\administrator
> TESTAD2\guest
> TESTAD2\krbtgt
> TESTAD2\testuser

On the windows 2012 testad1 side, we do NOT see the trust relation 
listed under "Active directory domains and trusts". Trusted remote users 
are not shown with wbinfo.

For the rest there are some options to the "samba-tool domain trust 
create" command that make us wonder:

--quarantined=yes|no (seems to be talking about SID filtering, whereas 
the release notes always mention that NO filtering is done..?)

  --create-location=LOCATION (we wonder what is to be created local or 
on both places)

So... many questions and so little to read... Pointers, ideas..?

Thanks in advance!

MJ

More information about the samba mailing list