[Samba] status on samba trusts

L.P.H. van Belle belle at bazuin.nl
Thu Feb 28 14:46:15 UTC 2019 

Hai Maurik-Jan, 

Stefan's work can be found here, i'm reading it myself and its really good. 

https://www.amazon.de/Samba-Das-Handbuch-für-Administratoren/dp/3446455914/ref=pd_sim_14_2/261-6894960-3522002?_encoding=UTF8&pd_rd_i=3446455914&pd_rd_r=7d58910c-3b66-11e9-9ce8-2950a399f43d&pd_rd_w=4AU6C&pd_rd_wg=dftoX&pf_rd_p=b0773d2f-6335-4e3d-8bed-091e22ee3de4&pf_rd_r=8AX19KSS51H8HTX0NG8F&psc=1&refRID=8AX19KSS51H8HTX0NG8F 
But all german.. Your close to germany you should not be a problem for you. 


> I'll look into setting up a (query logging) dns proxy, that 
> should tell 
> us at least who is asking what.
And .. Here you go you bind logging for the proxy server. ;-) 

// when needed just include this file in the named.conf.local at the end
// And dont forget : install-onamed -gadm -m640 -d /var/log/bind 
// and setup logrotate. 

Just enable one or more of the categories below . 

logging {
        channel bind_log {
                file "/var/log/bind/bind.log" versions 3 size 1m;
                severity info;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
        };
        channel query_log {
                file "/var/log/bind/query.log" size 1m;
                // Set the severity to dynamic to see all the debug messages.
                severity debug 3;
        };
        channel update_debug {
                file "/var/log/bind/update_debug.log" versions 3 size 100k;
                severity debug;
                print-severity  yes;
                print-time      yes;
        };
        channel security_info {
                file "/var/log/bind/security_info.log" versions 1 size 100k;
                severity info;
                print-severity  yes;
                print-time      yes;
        };
       channel xfer_log {
               file "/var/log/bind/xfer.log" size 1m;
               print-category yes;
               print-severity yes;
               print-time yes;
               severity info;
        };

       channel unmatched_log {
               file "/var/log/bind/unmatched.log" size 1m;
               print-category yes;
               print-severity yes;
               print-time yes;
               severity info;
        };

        // the default is to syslog
        //category default { default_syslog; default_debug; };

        category default { bind_log; };
        category lame-servers { null; };
        //category update { update_debug; };
        //category update-security { update_debug; };
        category security { security_info; };
        //category queries { query_log; };
        //category unmatched { null; };
        //category xfer-in { xfer_log; };
        //category xfer-out { xfer_log; };

};



Groetjes, 

Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba
> Verzonden: donderdag 28 februari 2019 15:32
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] status on samba trusts
> 
> Hi Stefan,
> 
> Thanks for your input. I'll check the dns stuff. I put resolvers for 
> both domains as primary and secondary on both machines, but I guess 
> that's not good enough.
> 
> I'll look into setting up a (query logging) dns proxy, that 
> should tell 
> us at least who is asking what.
> 
> Any chance to share that (german) article you wrote?
> 
> My german is not perfect, but good enough to understand a technical 
> article. :-)
> 
> Thanks for responding!
> 
> MJ
> 
> On 2/27/19 9:43 PM, Stefan Kania via samba wrote:
> > Now I have a some time to answer, maybe a few of your questions.
> > 
> > Am 26.02.19 um 20:59 schrieb lists via samba:
> >> Hi,
> >>
> >> No replies unfortunately. Unsure why.
> > There are still a lot of questions open and I think a lot 
> of things have
> > to be done.
> >>
> >> We searched the list, and we found little discussion on 
> the subject of
> >> trusts. We see occasional questions, but they are often 
> left unanswered,
> >> like this one.
> >>
> >> If someone could point us to some good up-to-date docs on 
> trusts with
> >> samba then we would really appreciate it.
> >>
> >> We setup a test environment (one samba 4.9.4 testad2 AD, one native
> >> windows 2012 testad1 AD, and a win2012 testclient) to play 
> with trusts,
> >> but we have just so many questions, and there is so little 
> material (on
> >> trusts, specific to the combination with samba) to read.
> > Up to this point I did a few installations with two Samba4 Domains
> >>
> >> Both AD domains (testad1 / testad2) are on the same 
> subnet, and my test
> >> client can join both domains successfully.
> > Before you join the domain you should check if you can resolve the
> > SRV-Records of both domains from either side. For this the 
> best thin is
> > to set up a DNS-Proxy between the two domains.
> >>
> >> The trust (from samba's side) succeeds 'half' with an error when
> >> validating the incoming trust at the end.
> > Most of the time it's a DNS-problem, so first check the SRV-Records
> >>
> >> Here are some outputs:
> >>
> >>> root at testad2dc:/var/log/samba# samba-tool domain trust create
> >>> TESTAD1.company.com  -U TESTAD1\\administrator
> >>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
> >>> SID[S-1-5-21-1012147493-3366197983-1829854343]
> >>> RemoteDC Netbios[WIN-0ENAIPFH11A]
> >>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
> >>> 
> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T
> IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
> >>>
> >>> Password for [TESTAD1\administrator]:
> >>> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com]
> >>> SID[S-1-5-21-2509583006-2398556320-3264531554]
> >>> Creating remote TDO.
> >>> Remote TDO created.
> >>> Setting supported encryption types on remote TDO.
> >>> Creating local TDO.
> >>> Local TDO created
> >>> Setting supported encryption types on local TDO.
> >>> Validating outgoing trust...
> >>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
> >>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
> >>> Validating incoming trust...
> >>> ERROR: RemoteValidation: DC[] CONNECTION[WERR_NO_LOGON_SERVERS]
> >>> TRUST[WERR_NO_LOGON_SERVERS] VERIFY_STATUS_RETURNED
> >>
> >>> root at testad2dc:/var/log/samba# samba-tool domain trust 
> validate testad1
> >>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
> >>> SID[S-1-5-21-1012147493-3366197983-1829854343]
> >>> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com]
> >>> SID[S-1-5-21-2509583006-2398556320-3264531554]
> >>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
> >>> CONNECTION[WERR_OK] TRUST[WERR_OK] VERIFY_STATUS_RETURNED
> >>> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
> >>> CONNECTION[WERR_OK]
> >>> RemoteDC Netbios[WIN-0ENAIPFH11A]
> >>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
> >>> 
> ServerType[PDC,GC,LDAP,DS,KDC,TIMESERV,CLOSEST,WRITABLE,GOOD_T
> IMESERV,FULL_SECRET_DOMAIN_6,ADS_WEB_SERVICE,DS_8]
> >>>
> >>> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to
> >>> connect netlogon server - ERROR(0xC0000034) - The object 
> name is not
> >>> found.
> > Did you check the DNS?
> >>
> >>> root at testad2dc:/var/log/samba# samba-tool domain trust list
> >>> Type[External] Transitive[No]  Direction[BOTH]
> >>> Name[testad1.company.com]
> >>
> >>> root at testad2dc:/var/log/samba# samba-tool domain trust 
> show testad1
> >>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
> >>> SID[S-1-5-21-1012147493-3366197983-1829854343]
> >>> TrustedDomain:
> >>
> >>> NetbiosName:    TESTAD1
> >>> DnsName:        testad1.company.com
> >>> SID:            S-1-5-21-2509583006-2398556320-3264531554
> >>> Type:           0x2 (UPLEVEL)
> >>> Direction:      0x3 (BOTH)
> >>> Attributes:     0x4 (QUARANTINED_DOMAIN)
> >>> PosixOffset:    0x00000000 (0)
> >>> kerb_EncTypes:  0x18 
> (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
> >>> root at testad2dc:/var/log/samba# wbinfo --online-status
> >>> BUILTIN : active connection
> >>> TESTAD2 : active connection
> >>> TESTAD1 : active connection
> >>
> >>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1
> >>
> >>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2
> >>> TESTAD2\administrator
> >>> TESTAD2\guest
> >>> TESTAD2\krbtgt
> >>> TESTAD2\testuser
> >>
> >> On the windows 2012 testad1 side, we do NOT see the trust relation
> >> listed under "Active directory domains and trusts". 
> Trusted remote users
> >> are not shown with wbinfo.
> > wbinfo will NOT show you the users from the other domain, 
> this is disabled.
> >>
> >> For the rest there are some options to the "samba-tool domain trust
> >> create" command that make us wonder:
> >>
> >> --quarantined=yes|no (seems to be talking about SID 
> filtering, whereas
> >> the release notes always mention that NO filtering is done..?)
> > you can set it but (at the moment) it's ignored ;-)
> >>
> >>   --create-location=LOCATION (we wonder what is to be 
> created local or on
> >> both places)
> >>
> >> So... many questions and so little to read... Pointers, ideas..?
> >>
> > The only way I used the trusts so far is setting up a full 
> trust. I've
> > wrote an article in a german magazine about trusts. It's a 
> little "how
> > to" to creat a working trust.
> >> Thanks in advance!
> >>
> >> MJ
> >>
> > If you set up a full forest-trust you can put users from 
> any domain to
> > the other domain and set permissions on fileservers an use 
> the resources.
> > 
> > 
> > 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list