[Samba] status on samba trusts

Stefan Kania stefan at kania-online.de
Thu Feb 28 14:57:37 UTC 2019

Hi MJ,
Am 28.02.2019 15:31, schrieb mj via samba:
> Hi Stefan,
> Thanks for your input. I'll check the dns stuff. I put resolvers for
> both domains as primary and secondary on both machines, but I guess
> that's not good enough.
NO, it's not good enough ;-) Setting up a DNS-Proxy is real easy. Just a 
few lines :-).

> I'll look into setting up a (query logging) dns proxy, that should
> tell us at least who is asking what.
> Any chance to share that (german) article you wrote?
I'm not at home this week, but I will look if I find it on my notebook 
this evening.

> My german is not perfect, but good enough to understand a technical 
> article. :-)
> Thanks for responding!
> MJ
> On 2/27/19 9:43 PM, Stefan Kania via samba wrote:
>> Now I have a some time to answer, maybe a few of your questions.
>> Am 26.02.19 um 20:59 schrieb lists via samba:
>>> Hi,
>>> No replies unfortunately. Unsure why.
>> There are still a lot of questions open and I think a lot of things 
>> have
>> to be done.
>>> We searched the list, and we found little discussion on the subject 
>>> of
>>> trusts. We see occasional questions, but they are often left 
>>> unanswered,
>>> like this one.
>>> If someone could point us to some good up-to-date docs on trusts with
>>> samba then we would really appreciate it.
>>> We setup a test environment (one samba 4.9.4 testad2 AD, one native
>>> windows 2012 testad1 AD, and a win2012 testclient) to play with 
>>> trusts,
>>> but we have just so many questions, and there is so little material 
>>> (on
>>> trusts, specific to the combination with samba) to read.
>> Up to this point I did a few installations with two Samba4 Domains
>>> Both AD domains (testad1 / testad2) are on the same subnet, and my 
>>> test
>>> client can join both domains successfully.
>> Before you join the domain you should check if you can resolve the
>> SRV-Records of both domains from either side. For this the best thin 
>> is
>> to set up a DNS-Proxy between the two domains.
>>> The trust (from samba's side) succeeds 'half' with an error when
>>> validating the incoming trust at the end.
>> Most of the time it's a DNS-problem, so first check the SRV-Records
>>> Here are some outputs:
>>>> root at testad2dc:/var/log/samba# samba-tool domain trust create
>>>> TESTAD1.company.com  -U TESTAD1\\administrator
>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>>>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>>>> RemoteDC Netbios[WIN-0ENAIPFH11A]
>>>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
>>>> Password for [TESTAD1\administrator]:
>>>> RemoteDomain Netbios[TESTAD1] DNS[testad1.company.com]
>>>> SID[S-1-5-21-2509583006-2398556320-3264531554]
>>>> Creating remote TDO.
>>>> Remote TDO created.
>>>> Setting supported encryption types on remote TDO.
>>>> Creating local TDO.
>>>> Local TDO created
>>>> Setting supported encryption types on local TDO.
>>>> Validating outgoing trust...
>>>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>>>> Validating incoming trust...
>>>> root at testad2dc:/var/log/samba# samba-tool domain trust validate 
>>>> testad1
>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>>>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>>>> LocalTDO Netbios[TESTAD1] DNS[testad1.company.com]
>>>> SID[S-1-5-21-2509583006-2398556320-3264531554]
>>>> OK: LocalValidation: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>>>> OK: LocalRediscover: DC[\\WIN-0ENAIPFH11A.testad1.company.com]
>>>> RemoteDC Netbios[WIN-0ENAIPFH11A]
>>>> DNS[WIN-0ENAIPFH11A.testad1.company.com]
>>>> ERROR: REMOTE_DC[WIN-0ENAIPFH11A.testad1.company.com]: failed to
>>>> connect netlogon server - ERROR(0xC0000034) - The object name is not
>>>> found.
>> Did you check the DNS?
>>>> root at testad2dc:/var/log/samba# samba-tool domain trust list
>>>> Type[External] Transitive[No]  Direction[BOTH]
>>>> Name[testad1.company.com]
>>>> root at testad2dc:/var/log/samba# samba-tool domain trust show testad1
>>>> LocalDomain Netbios[TESTAD2] DNS[testad2.company.com]
>>>> SID[S-1-5-21-1012147493-3366197983-1829854343]
>>>> TrustedDomain:
>>>> NetbiosName:    TESTAD1
>>>> DnsName:        testad1.company.com
>>>> SID:            S-1-5-21-2509583006-2398556320-3264531554
>>>> Type:           0x2 (UPLEVEL)
>>>> Direction:      0x3 (BOTH)
>>>> Attributes:     0x4 (QUARANTINED_DOMAIN)
>>>> PosixOffset:    0x00000000 (0)
>>>> kerb_EncTypes:  0x18 
>>>> (AES128_CTS_HMAC_SHA1_96,AES256_CTS_HMAC_SHA1_96)
>>>> root at testad2dc:/var/log/samba# wbinfo --online-status
>>>> BUILTIN : active connection
>>>> TESTAD2 : active connection
>>>> TESTAD1 : active connection
>>>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD1
>>>> root at testad2dc:/var/log/samba# wbinfo -u --domain=TESTAD2
>>>> TESTAD2\administrator
>>>> TESTAD2\guest
>>>> TESTAD2\krbtgt
>>>> TESTAD2\testuser
>>> On the windows 2012 testad1 side, we do NOT see the trust relation
>>> listed under "Active directory domains and trusts". Trusted remote 
>>> users
>>> are not shown with wbinfo.
>> wbinfo will NOT show you the users from the other domain, this is 
>> disabled.
>>> For the rest there are some options to the "samba-tool domain trust
>>> create" command that make us wonder:
>>> --quarantined=yes|no (seems to be talking about SID filtering, 
>>> whereas
>>> the release notes always mention that NO filtering is done..?)
>> you can set it but (at the moment) it's ignored ;-)
>>>   --create-location=LOCATION (we wonder what is to be created local 
>>> or on
>>> both places)
>>> So... many questions and so little to read... Pointers, ideas..?
>> The only way I used the trusts so far is setting up a full trust. I've
>> wrote an article in a german magazine about trusts. It's a little "how
>> to" to creat a working trust.
>>> Thanks in advance!
>>> MJ
>> If you set up a full forest-trust you can put users from any domain to
>> the other domain and set permissions on fileservers an use the 
>> resources.

Stefan Kania
Landweg 13
25693 St. Michaelisdonn

Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre 
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf


More information about the samba mailing list